| Message ID | 20220204165450.9083-1-dceara@redhat.com |
|---|---|
| State | Accepted |
| Commit | 4628be9ff8014a2678b68fefcea3104cc334233f |
| Headers | show |
| Series | [ovs-dev,v2] ovsdb-idl: Fix use-after-free when destroying an IDL loop. | expand |
| Context | Check | Description |
|---|---|---|
| ovsrobot/apply-robot | success | apply and check: success |
| ovsrobot/github-robot-_Build_and_Test | fail | github build: failed |
On 2/4/22 17:54, Dumitru Ceara wrote: > Transactions that are still incomplete (waiting for a reply from the > server) are kept in the IDL's 'outstanding_txns' map. When a transaction > is destroyed, ovsdb_idl_txn_destroy() will take care of removing the > transaction from the 'outstanding_txns' map if the transaction was > incomplete but also abort it and disassemble it if needed. > > Aborting the transaction first, before ovsdb_idl_txn_destroy(), may > cause an use-after-free if the transaction was outstanding; that's > because the transaction would move to state "aborted" without being > removed from the 'outstanding_txns' map. > > Fixes: 53a540e5311c ("ovsdb-idl: ovsdb_idl_loop_destroy must also destroy the committing txn.") > Signed-off-by: Dumitru Ceara <dceara@redhat.com> > --- > v2: > - Removed unnecessary ovsdb_idl_txn_disassemble() call per Ilya's > comment. > - Rephrased the commit log. > --- > lib/ovsdb-idl.c | 1 - > 1 file changed, 1 deletion(-) Thanks! Applied and backported down to 2.13. Best regards, Ilya Maximets.
diff --git a/lib/ovsdb-idl.c b/lib/ovsdb-idl.c index 46f51a527356..1929f225395e 100644 --- a/lib/ovsdb-idl.c +++ b/lib/ovsdb-idl.c @@ -4243,7 +4243,6 @@ ovsdb_idl_loop_destroy(struct ovsdb_idl_loop *loop) { if (loop) { if (loop->committing_txn) { - ovsdb_idl_txn_abort(loop->committing_txn); ovsdb_idl_txn_destroy(loop->committing_txn); } ovsdb_idl_destroy(loop->idl);
Transactions that are still incomplete (waiting for a reply from the server) are kept in the IDL's 'outstanding_txns' map. When a transaction is destroyed, ovsdb_idl_txn_destroy() will take care of removing the transaction from the 'outstanding_txns' map if the transaction was incomplete but also abort it and disassemble it if needed. Aborting the transaction first, before ovsdb_idl_txn_destroy(), may cause an use-after-free if the transaction was outstanding; that's because the transaction would move to state "aborted" without being removed from the 'outstanding_txns' map. Fixes: 53a540e5311c ("ovsdb-idl: ovsdb_idl_loop_destroy must also destroy the committing txn.") Signed-off-by: Dumitru Ceara <dceara@redhat.com> --- v2: - Removed unnecessary ovsdb_idl_txn_disassemble() call per Ilya's comment. - Rephrased the commit log. --- lib/ovsdb-idl.c | 1 - 1 file changed, 1 deletion(-)