Commit dd2e44f835fac8 fixed a similar race conditions w.r.t.
removal of 'ofproto', but introduced this bug. While 'ofproto'
is being removed, the existing flow_miss_batches may still contain
references to the to be removed 'ofproto', causing access to freed
memory.
Bug #1202234
Signed-off-by: Andy Zhou <az...@nicira.com>
---
ofproto/ofproto-dpif.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/ofproto/ofproto-dpif.c b/ofproto/ofproto-dpif.c
index cf421ae..ede7533 100644
--- a/ofproto/ofproto-dpif.c
+++ b/ofproto/ofproto-dpif.c
@@ -1411,6 +1411,10 @@ destruct(struct ofproto *ofproto_)
* to the ofproto or anything in it. */
udpif_synchronize(ofproto->backer->udpif);
+ /* Discard any flow_miss_batches queued up for 'ofproto', avoiding a
+ * use-after-free error. */
+ udpif_revalidate(ofproto->backer->udpif);
+
hmap_remove(&all_ofproto_dpifs, &ofproto->all_ofproto_dpifs_node);
OFPROTO_FOR_EACH_TABLE (table, &ofproto->up) {
--
1.7.9.5
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev
