Hi,TongHao and Ilya
this patch was reported at https://mail.openvswitch.org/pipermail/ovs-discuss/2020-August/050489.html and it was fixed by patch 1f3a090("net: openvswitch: introduce common code for flushing flows") Best regards, Wentao Jia Hi,TongHao and Ilya I guess this bug was fixed by patch 1f3a090("net: openvswitch: introduce common code for flushing flows"),but this patch is not for fix bug use-after-free flow mask >> On 3/24/22 05:17, Wentao Jia wrote: >> > >> > >> > on destroy flow table >> instance, referenced flow mask may be released >> > too. fuction >> ovs_flow_tbl_destroy(), release flow mask first and then >> > destroy flow >> table instance. this will trigger kernel panic on detroy >> > datapath >> > >> >> > >> > [ 377.647756] kernel BUG at .../datapath/linux/flow_table.c:272! >> >> > [ 377.653794] invalid opcode: 0000 [#1] SMP PTI >> > [ 377.666827] RIP: >> 0010:table_instance_flow_free.isra.7+0x148/0x150 >> > [ 377.711465] Call >> Trace: >> > [ 377.715238] <IRQ> >> > [ 377.718964] >> table_instance_destroy+0xbe/0x160 [openvswitch] >> > [ 377.722793] >> destroy_dp_rcu+0x12/0x40 [openvswitch] >> > [ 377.726651] >> rcu_process_callbacks+0x297/0x460 >> > [ 377.736795] __do_softirq+0xe3/0x30a >> >> > [ 377.740654] ? ktime_get+0x36/0xa0 >> > [ 377.744490] >> irq_exit+0x100/0x110 >> > [ 377.748514] smp_apic_timer_interrupt+0x74/0x140 >> >> > [ 377.752817] apic_timer_interrupt+0xf/0x20 >> > [ 377.758802] </IRQ> >> >> > >> > >> > Fixes: 6d1cf7f3e ("datapath: fix possible memleak on destroy >> >> > flow-table") >for linux upstream, fix tag: >Fixes: 50b0e61b32ee ("net: >> openvswitch: fix possible memleak on >destroy flow-table") >> > >> > >> Signed-off-by: Wentao Jia <[email protected]> >> > Signed-off-by: >> Chuanjie Zeng <[email protected]> >> > --- >> >> Hi, Wentao Jia. >> Thanks for the patch! >> >> Please, send it to the mainline linux kernel >> ('netdev' mailing list, >> keeping the ovs-dev in CC) using the linux kernel >> process for >> submitting patches. >> >> When it is accepted to the upstream >> kernel, it can be backported to >> the OOT kernel module in OVS repository. >> >> >> Best regards, Ilya Maximets. >> >> > datapath/flow_table.c | 2 +- >> > >> 1 file changed, 1 insertion(+), 1 deletion(-) >> > >> > >> > diff --git >> a/datapath/flow_table.c b/datapath/flow_table.c >> > index >> 650338fb0..b2f4b1108 100644 >> > --- a/datapath/flow_table.c >> > +++ >> b/datapath/flow_table.c >> > @@ -415,8 +415,8 @@ void >> ovs_flow_tbl_destroy(struct flow_table *table) >> > struct table_instance >> *ufid_ti = rcu_dereference_raw(table->ufid_ti); >> > >> > >> > >> free_percpu(table->mask_cache); >> > - >> kfree(rcu_dereference_raw(table->mask_array)); >> > >> table_instance_destroy(table, ti, ufid_ti, false); >> > + >> kfree(rcu_dereference_raw(table->mask_array)); >> > } >> > > >-- >Best >> regards, Tonghao _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
