Commit
dd2e44f835fac8 fixed a similar race conditions w.r.t.
removal of 'ofproto', but reintroduced this bug. While 'ofproto'
is being removed, the existing flow_miss_batches may still contain
references to the to be removed 'ofproto', causing access to freed
memory.
Bug #
1202234
Signed-off-by: Andy Zhou <azhou@nicira.com>
Acked-by: Alex Wang <alexw@nicira.com>
udpif_synchronize(struct udpif *udpif)
{
/* This is stronger than necessary. It would be sufficient to ensure
- * (somehow) that each handler and revalidator thread had passed through
- * its main loop once. */
+ * (somehow) that each handler thread had passed through its main
+ * loop once. */
size_t n_handlers = udpif->n_handlers;
if (n_handlers) {
udpif_recv_set(udpif, 0, false);
* to the ofproto or anything in it. */
udpif_synchronize(ofproto->backer->udpif);
+ /* Discard any flow_miss_batches queued up for 'ofproto', avoiding a
+ * use-after-free error. */
+ udpif_revalidate(ofproto->backer->udpif);
+
hmap_remove(&all_ofproto_dpifs, &ofproto->all_ofproto_dpifs_node);
OFPROTO_FOR_EACH_TABLE (table, &ofproto->up) {