On Fri, Mar 15, 2019 at 4:31 PM Ben Pfaff <[email protected]> wrote: > On Fri, Mar 15, 2019 at 04:17:34PM -0700, Darrell Ball wrote: > > On Fri, Mar 15, 2019 at 3:56 PM Ben Pfaff <[email protected]> wrote: > > > > > On Fri, Mar 15, 2019 at 03:01:18PM -0700, Darrell Ball wrote: > > > > Reference lists are not fully protected during cleanup of > > > > NAT connections where the bucket lock is transiently not held during > > > > list traversal. This can lead to referencing freed memory during > > > > cleaning from multiple contexts. Fix this by protecting with > > > > the existing 'cleanup' mutex in the missed cases where 'conn_clean()' > > > > is called. 'conntrack_flush()' is converted to expiry list traversal > > > > to support the proper bucket level protection with the 'cleanup' > mutex. > > > > > > > > The NAT exhaustion case cleanup in 'conn_not_found()' is also > modified > > > > to avoid the same issue. > > > > > > > > Fixes: 286de2729955 ("dpdk: Userspace Datapath: Introduce NAT > Support.") > > > > Reported-by: solomon <[email protected]> > > > > Reported-at: > > > https://mail.openvswitch.org/pipermail/ovs-dev/2019-March/357056.html > > > > Tested-by: solomon <[email protected]> > > > > Signed-off-by: Darrell Ball <[email protected]> > > > > --- > > > > > > > > This patch is targeted for earlier releases as new RCU patches > > > > inherently don't have this race. > > > > > > > > Backport to 2.8. > > > > > > Thanks. I applied this to master, branch-2.11, and branch-2.10. 2.9 > > > and 2.8 had conflicts. > > > > > > > I will create the backport patches for 2.9 and 2.8. > > > > Regarding branch 2.8 - it has diverged quite a bit in general from branch > > >=2.9. > > This is because of some small features/cosmetic changes that went into > 2.9. > > One option would be to bring 2.8 into sync with 2.9 in one patch. > > Alternatively, > > backport all dependencies and fixes separately. Thoughts ? > > Usually it's better to backport them separately, because it makes it > clear at a glance what happened in a list of patches.
yep > But that can > sometimes be a lot of trouble, and in that case a single patch can make > sense. > It is the "lot of trouble" part I am trying to avoid. Let me see. _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
