Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
controller: Fix "use after free" issue in statctrl_run().
Issue: ===== OVN controller main() is caching the "sbrec_mac_binding/sbrec_fdb" pointers in "mac_cache_mac_binding->mac_bindings/fdbs" which are used to update timestamp in mac_cache_mb_stats_run()/ mac_cache_fdb_stats_run(). There is a condition where cached "sbrec_mac_binding/sbrec_fdb" pointers gets freed without removing the refs from "mac_cache_mac_binding->mac_bindings/fdbs" which is leading to crash due to "use after free". This condition can occur due to following reason. - en_runtime_data is input to en_mac_cache. - en_runtime_data went for full recompute but engine_run() is called with recompute_allowed as False due to ofctrl_has_backlog() returned True. This caused to avoid the recompute in the current engine run and engine_run_aborted is set to True. If recompute_allowed is False and engine_run_aborted is True then, inc processing engine is skipped. - If there are any mac_binding/fdb deletes in the same run then, entries gets deleted during ovsdb_idl_loop_run() and rows are freed in ovsdb_idl_track_clear() but references to them are present in mac_cache_data->mac_bindings/fdbs. Fix: === Avoid statctrl_run() when en_mac_cache engine data is invalid. Fixes: e1ab41e ("controller: Update MAC binding timestamp") Signed-off-by: Naveen Yerramneni <naveen.yerramneni@nutanix.com> Acked-by: Ales Musil <amusil@redhat.com> Signed-off-by: Numan Siddique <numans@ovn.org> (cherry picked from commit 74315f1)
- Loading branch information