Only RCU may not be sufficient. The deletion of rule and group uses both RCU and reference accounting, but the deletion of ofproto uses only RCU.
The execution process as follows: ofproto_destroy=>p->ofproto_class->destruct=>ofproto_rule_delete=>ofproto_rule_unref (suppose rule-A’s reference accounting not reach the last, rule-A will not be added to deffered deletion list )=>…=>ofproto_destroy(The ofproto will be added to deferred deletion list directly in the last line of the function)=>soon after,rule-A’s reference accounting reach the last, it will be added to deferred deletion list after oproto. So, ofproto will be released before the rule-A. When the rule_destroy_cb is executed, the internal access of ofproto will cause use-after-free. -----Original Message----- From: Ben Pfaff [mailto:[email protected]] Sent: 2020年3月7日 4:58 To: guohongzhi (A) <[email protected]> Cc: [email protected]; [email protected]; Zhoujingbin (Robin, Russell Lab) <[email protected]>; chenchanghu <[email protected]>; Lilijun (Jerry) <[email protected]> Subject: Re: [PATCH] [ovs-dev]ofproto:fix use-after-free On Fri, Mar 06, 2020 at 09:05:55PM +0800, guohongzhi wrote: > ASAN report use-after-free when destroy ofproto_rule, the > rule->ofproto has freed in ofproto_destroy. > Add ref_count for ofproto to avoid use-after-free when destroy > ofproto_rule adn group. > > Signed-off-by: guohongzhi <[email protected]> Why isn't RCU sufficient to avoid use-after-free? _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
