On Fri, Apr 10, 2020 at 02:54:41PM -0700, William Tu wrote:
> On Thu, Apr 09, 2020 at 11:37:39AM -0700, Yifeng Sun wrote:
> > This patch enhances a system traffic test to prevent regression on
> > the tunnel metadata table (tun_table) handling with frozen state.
> > Without a proper fix this test can crash ovs-vswitchd due to a
> > use-after-free bug on tun_table.
> >
> > These are the timed sequence of how this bug is triggered:
> >
> > - Adds an OpenFlow rule in OVS that matches Geneve tunnel metadata that
> > contains a controller action.
> > - When the first packet matches the aforementioned OpenFlow rule,
> > during the miss upcall, OVS stores a pointer to the tun_table (that
> > decodes the Geneve tunnel metadata) in a frozen state and pushes down
> > a datapath flow into kernel datapath.
> > - Issues a add-tlv-map command to reprogram the tun_table on OVS.
> > OVS frees the old tun_table and create a new tun_table.
> > - A subsequent packet hits the kernel datapath flow again. Since
> > there is a controller action associated with that flow, it triggers
> > slow path controller upcall.
> > - In the slow path controller upcall, OVS derives the tun_table
> > from the frozen state, which points to the old tun_table that is
> > already being freed at this time point.
> > - In order to access the tunnel metadata, OVS uses the invalid
> > pointer that points to the old tun_table and triggers the core dump.
> >
> > Signed-off-by: Yi-Hung Wei <[email protected]>
> > Signed-off-by: Yifeng Sun <[email protected]>
> > Co-authored-by: Yi-Hung Wei <[email protected]>
> > ---
>
> Applied, thanks
> William
I also backport to 2.13.
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
