git.onelab.eu Git - sliver-openvswitch.git/commit

author	Ben Pfaff <blp@nicira.com>
	Tue, 25 Feb 2014 16:01:01 +0000 (08:01 -0800)
committer	Ben Pfaff <blp@nicira.com>
	Tue, 25 Feb 2014 16:01:01 +0000 (08:01 -0800)
commit	3f142f59f2859ef5c2bc124405ab4d683d3f416b
tree	32680d014f5d54c74081a6752283583e96987503	tree \| snapshot
parent	5d5ffe9cb3a21b87a86b7f681922471241c7ef73	commit \| diff

ofproto-dpif: Complete all packet translations before freeing an ofproto.

The following scenario can occur:

   1. Handler thread grabs a pointer to an ofproto in handle_upcalls().

   2. Main thread removes ofproto and destroys it in destruct().

   3. Handler thread uses pointer to ofproto and accesses freed memory.
      BOOM!

Each individual step above happens under the xlate_rwlock, but the ofproto
pointer is retained from step 1 to step 3, hence the problem.  This commit
fixes the problem by ensuring that after an ofproto is removed but before
it is destroyed, all packet translations get pushed all the way through
the upcall handler pipeline.  (No new packet translations can get a pointer
to the removed ofproto.)

Bug #1200351.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Alex Wang <alexw@nicira.com>

ofproto/ofproto-dpif-upcall.c		diff \| blob \| history
ofproto/ofproto-dpif-upcall.h		diff \| blob \| history
ofproto/ofproto-dpif.c		diff \| blob \| history