valgrind reported:
Invalid read of size 4
at 0x806ADC1: odp_port_to_ofport (hmap.h:267)
by 0x8077C05: xlate_receive (ofproto-dpif-xlate.c:523)
by 0x8073994: handle_miss_upcalls (ofproto-dpif-upcall.c:642)
by 0x80741AA: udpif_miss_handler (ofproto-dpif-upcall.c:412)
by 0x56FCC38: start_thread (pthread_create.c:304)
by 0x735378D: clone (clone.S:130)
Address 0x786c084 is 4 bytes inside a block of size 16 free'd
at 0x4D8350C: free (vg_replace_malloc.c:427)
by 0x8065EDA: close_dpif_backer (ofproto-dpif.c:1094)
The problem is that close_dpif_backer() destroys odp_to_ofport_map and the
associated mutex before it calls udpif_destroy() to stop the forwarding
threads. This gives the forwarding threads a window in which to try to
use odp_to_ofport_map.
This commit moves the udpif_destroy() call much earlier, solving the
problem. (The call to udpif_destroy() must follow the call to
drop_key_clear() because drop_key_clear() uses the udpif.)
Signed-off-by: Ben Pfaff <b...@nicira.com>
---
ofproto/ofproto-dpif.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/ofproto/ofproto-dpif.c b/ofproto/ofproto-dpif.c
index b91b3df..b41c179 100644
--- a/ofproto/ofproto-dpif.c
+++ b/ofproto/ofproto-dpif.c
@@ -1090,13 +1090,14 @@ close_dpif_backer(struct dpif_backer *backer)
drop_key_clear(backer);
hmap_destroy(&backer->drop_keys);
+ udpif_destroy(backer->udpif);
+
simap_destroy(&backer->tnl_backers);
ovs_rwlock_destroy(&backer->odp_to_ofport_lock);
hmap_destroy(&backer->odp_to_ofport_map);
node = shash_find(&all_dpif_backers, backer->type);
free(backer->type);
shash_delete(&all_dpif_backers, node);
- udpif_destroy(backer->udpif);
dpif_close(backer->dpif);
ovs_assert(hmap_is_empty(&backer->subfacets));
--
1.7.10.4
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev
