Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
bond: Fix bug that writes to freed memory
pr_op->pr_rule is pointing to memory in bond->hash. It shouldn't be written if bond->hash is already freed. This bug is reported by running kernel path testsuite under valgrind: Invalid write of size 8 at 0x413D16: update_recirc_rules__ (bond.c:392) by 0x414CA0: bond_unref (bond.c:290) by 0x427E3C: bundle_destroy (ofproto-dpif.c:3002) by 0x429EF4: bundle_set (ofproto-dpif.c:3023) by 0x40858B: port_destroy (bridge.c:4087) by 0x40BD04: bridge_destroy (bridge.c:3266) by 0x410528: bridge_exit (bridge.c:506) by 0x4072EE: main (ovs-vswitchd.c:135) Address 0xb5a85f0 is 5,360 bytes inside a block of size 12,288 free'd at 0x4C2EDEB: free (/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) by 0x414C8D: bond_unref (bond.c:288) by 0x427E3C: bundle_destroy (ofproto-dpif.c:3002) by 0x429EF4: bundle_set (ofproto-dpif.c:3023) by 0x40858B: port_destroy (bridge.c:4087) by 0x40BD04: bridge_destroy (bridge.c:3266) by 0x410528: bridge_exit (bridge.c:506) by 0x4072EE: main (ovs-vswitchd.c:135) Block was alloc'd at at 0x4C2DB8F: malloc (/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) by 0x516C04: xmalloc (util.c:120) by 0x414FD1: bond_entry_reset (bond.c:1651) by 0x414FD1: bond_reconfigure (bond.c:470) by 0x41507D: bond_create (bond.c:245) by 0x429D5D: bundle_set (ofproto-dpif.c:3194) by 0x408AC8: port_configure (bridge.c:1052) by 0x40CD87: bridge_reconfigure (bridge.c:682) by 0x410775: bridge_run (bridge.c:2998) by 0x407244: main (ovs-vswitchd.c:119) Signed-off-by: Yifeng Sun <pkusunyifeng@gmail.com> Signed-off-by: Ben Pfaff <blp@ovn.org> Tested-by: Greg Rose <gvrose8192@gmail.com> Reviewed-by: Greg Rose <gvrose8192@gmail.com>
- Loading branch information
