On Wed, Jul 06, 2016 at 07:39:52PM -0400, Lance Richardson wrote:
> Investigation found that Some of the occasional failures in the
> "ovn -- vtep: 3 HVs, 1 VIFs/HV, 1 GW, 1 LS" test case are caused
> by ovs-vswitchd crashing with SIGSEGV. It turns out that the
> crash occurrs when the number of netdev-dummy passive connections
> transitions from 1 to 2. When xrealloc() copies the array of
> dummy_packet_stream structures from the original buffer to a
> newly allocated one, the struct ovs_list txq member of the structure
> becomes corrupt (e.g. if ovs_list_is_empty() would have returned
> false before the copy, it will return true after the copy, which
> will lead to a crash when the bogus packet buffer on the list is
> dereferenced).
>
> Fix by taking a hint from David Wheeler and adding a level of
> indirection.
>
> Signed-off-by: Lance Richardson <lrich...@redhat.com>
Thanks for the fix! I applied this.
I spotted what looks like another bug and fixed it by folding in the
following. If you think it's wrong, please let me know.
diff --git a/lib/netdev-dummy.c b/lib/netdev-dummy.c
index b16c9c6..2e7b7e9 100644
--- a/lib/netdev-dummy.c
+++ b/lib/netdev-dummy.c
@@ -459,7 +459,7 @@ dummy_pconn_run(struct netdev_dummy *dev)
dev->conn.type = NONE;
}
- for (i = 0; i < pconn->n_streams; i++) {
+ for (i = 0; i < pconn->n_streams; ) {
struct dummy_packet_stream *s = pconn->streams[i];
error = dummy_packet_stream_run(dev, s);
@@ -470,6 +470,8 @@ dummy_pconn_run(struct netdev_dummy *dev)
dummy_packet_stream_close(s);
free(s);
pconn->streams[i] = pconn->streams[--pconn->n_streams];
+ } else {
+ i++;
}
}
}
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev
