After inserting/removing a bucket, we don't update the bucket counter. When we call ovs-ofctl dump-group-stats br-int, a panic happened.
Reproduce steps: 1. ovs-ofctl -O OpenFlow15 add-group br-int "group_id=1, type=select, selection_method=hash bucket=bucket_id=1,weight:100,actions=output:1" 2. ovs-ofctl insert-buckets br-int "group_id=1, command_bucket_id=last, bucket=bucket_id=7,weight:800,actions=output:1" 3. ovs-ofctl dump-group-stats br-int gdb) bt #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51 #1 0x00007f028675b42a in __GI_abort () at abort.c:89 #2 0x00007f0286797c00 in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7f028688cd98 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175 #3 0x00007f028679dfc6 in malloc_printerr (action=3, str=0x7f028688cea8 "free(): invalid next size (fast)", ptr=<optimized out>, ar_ptr=<optimized out>) at malloc.c:5049 #4 0x00007f028679e80e in _int_free (av=0x7f0286ac0b00 <main_arena>, p=0x55cac2920040, have_lock=0) at malloc.c:3905 #5 0x000055cab8fd6d8e in append_group_stats (group=0x55cac250d860, replies=0x7fffe6a11b90) at ofproto/ofproto.c:6770 #6 0x000055cab8fd8d04 in handle_group_request (ofconn=ofconn@entry=0x55cac28ec5a0, request=request@entry=0x55cac29317f0, group_id=<optimized out>, cb=cb@entry=0x55cab8fd6cd0 <append_group_stats>) at ofproto/ofproto.c:6790 #7 0x000055cab8fe2a96 in handle_group_stats_request (request=0x55cac29317f0, ofconn=0x55cac28ec5a0) at ofproto/ofproto.c:6815 #8 handle_openflow__ (msg=0x55cac29365c0, ofconn=0x55cac28ec5a0) at ofproto/ofproto.c:8282 #9 handle_openflow (ofconn=0x55cac28ec5a0, ofp_msg=0x55cac29365c0) at ofproto/ofproto.c:8362 #10 0x000055cab9013ddb in ofconn_run (handle_openflow=0x55cab8fe23c0 <handle_openflow>, ofconn=0x55cac28ec5a0) at ofproto/connmgr.c:1446 #11 connmgr_run (mgr=0x55cabb2ce360, handle_openflow=handle_openflow@entry=0x55cab8fe23c0 <handle_openflow>) at ofproto/connmgr.c:365 #12 0x000055cab8fdc516 in ofproto_run (p=0x55cabb2cddd0) at ofproto/ofproto.c:1825 #13 0x000055cab8fcabfc in bridge_run__ () at vswitchd/bridge.c:2944 #14 0x000055cab8fcfe64 in bridge_run () at vswitchd/bridge.c:3002 #15 0x000055cab8c693ed in main (argc=<optimized out>, argv=<optimized out>) at vswitchd/ovs-vswitchd.c:125 Signed-off-by: solomon <[email protected]> --- ofproto/ofproto.c | 2 ++ tests/ofproto.at | 16 ++++++++++++++++ 2 files changed, 18 insertions(+) diff --git a/ofproto/ofproto.c b/ofproto/ofproto.c index 0a8d141a4..96cdf0b5b 100644 --- a/ofproto/ofproto.c +++ b/ofproto/ofproto.c @@ -7192,6 +7192,8 @@ modify_group_start(struct ofproto *ofproto, struct ofproto_group_mod *ogm) *CONST_CAST(long long int *, &(new_group->created)) = old_group->created; *CONST_CAST(long long int *, &(new_group->modified)) = time_msec(); + *CONST_CAST(uint32_t *, &(new_group->n_buckets)) = + ovs_list_size(&(new_group->buckets)); group_collection_add(&ogm->old_groups, old_group); /* Mark the old group for deletion. */ diff --git a/tests/ofproto.at b/tests/ofproto.at index f32d987fa..c5cebd9fe 100644 --- a/tests/ofproto.at +++ b/tests/ofproto.at @@ -1257,6 +1257,22 @@ OFPST_GROUP reply (OF1.5): OVS_VSWITCHD_STOP AT_CLEANUP +dnl This is used to find that the bucket counter is not updated. +AT_SETUP([ofproto - group stats after insert a new bucket (OpenFlow 1.5)]) +OVS_VSWITCHD_START +AT_DATA([groups.txt], [dnl +group_id=1234,type=select,selection_method=hash bucket=bucket_id=1,weight:100,actions=output:10 +]) +AT_CHECK([ovs-ofctl -O OpenFlow15 -vwarn add-groups br0 groups.txt]) +AT_CHECK([ovs-ofctl -O OpenFlow15 -vwarn insert-buckets br0 'group_id=1234, command_bucket_id=last, bucket=bucket_id=2,weight:100,actions=output:10']) +AT_CHECK([ovs-ofctl -O OpenFlow15 -vwarn dump-group-stats br0 group_id=1234], [0], [stdout]) +AT_CHECK([strip_xids < stdout | sed 's/duration=[[0-9.]]*s/duration=?s/' | sort], [0], [dnl + group_id=1234,duration=?s,ref_count=0,packet_count=0,byte_count=0,bucket0:packet_count=0,byte_count=0,bucket1:packet_count=0,byte_count=0 +OFPST_GROUP reply (OF1.5): +]) +OVS_VSWITCHD_STOP +AT_CLEANUP + dnl This found a use-after-free error in bridge destruction in the dnl presence of groups. AT_SETUP([ofproto - group add then bridge delete (OpenFlow 1.3)]) -- 2.11.0 _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
