On 3/9/20 3:35 AM, guohongzhi (A) wrote: > Only RCU may not be sufficient. The deletion of rule and group uses both RCU > and reference accounting, but the deletion of ofproto uses only RCU. > > The execution process as follows: > ofproto_destroy=>p->ofproto_class->destruct=>ofproto_rule_delete=>ofproto_rule_unref > (suppose rule-A’s reference accounting not reach the last, rule-A will not > be added to deffered deletion list )=>…=>ofproto_destroy(The ofproto will be > added to deferred deletion list directly in the last line of the > function)=>soon after,rule-A’s reference accounting reach the last, it will > be added to deferred deletion list after oproto. So, ofproto will be released > before the rule-A. When the rule_destroy_cb is executed, the internal access > of ofproto will cause use-after-free. > > > -----Original Message----- > From: Ben Pfaff [mailto:[email protected]] > Sent: 2020年3月7日 4:58 > To: guohongzhi (A) <[email protected]> > Cc: [email protected]; [email protected]; Zhoujingbin (Robin, Russell Lab) > <[email protected]>; chenchanghu <[email protected]>; Lilijun > (Jerry) <[email protected]> > Subject: Re: [PATCH] [ovs-dev]ofproto:fix use-after-free > > On Fri, Mar 06, 2020 at 09:05:55PM +0800, guohongzhi wrote: >> ASAN report use-after-free when destroy ofproto_rule, the >> rule->ofproto has freed in ofproto_destroy. >> Add ref_count for ofproto to avoid use-after-free when destroy >> ofproto_rule adn group. >> >> Signed-off-by: guohongzhi <[email protected]> > > Why isn't RCU sufficient to avoid use-after-free?
Marking this patch as 'changes requested' in patchwork in context of my comments to the similar patch: http://patchwork.ozlabs.org/project/openvswitch/patch/[email protected]/#2637046 Best regards, Ilya Maximets. _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
