From 87400a3d4cc4a7da015485002753aaaeb860433a Mon Sep 17 00:00:00 2001
From: Ben Pfaff <blp@nicira.com>
Date: Tue, 20 May 2014 17:09:59 -0700
Subject: [PATCH] dpif-netdev: Fix use-after-free in port_unref().

When the last rxq is closed (which releases the rxq's internal reference
to its netdev) the next call to netdev_n_rxq() accesses freed memory.

Found by valgrind.

Signed-off-by: Ben Pfaff <blp@nicira.com>
Reported-by: Jarno Rajahalme <jrajahalme@nicira.com>
Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>
---
 lib/dpif-netdev.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/lib/dpif-netdev.c b/lib/dpif-netdev.c
index 0becd0381..a2e3308e9 100644
--- a/lib/dpif-netdev.c
+++ b/lib/dpif-netdev.c
@@ -811,12 +811,14 @@ static void
 port_unref(struct dp_netdev_port *port)
 {
     if (port && ovs_refcount_unref(&port->ref_cnt) == 1) {
+        int n_rxq;
         int i;
 
         netdev_close(port->netdev);
         netdev_restore_flags(port->sf);
 
-        for (i = 0; i < netdev_n_rxq(port->netdev); i++) {
+        n_rxq = netdev_n_rxq(port->netdev);
+        for (i = 0; i < n_rxq; i++) {
             netdev_rxq_close(port->rxq[i]);
         }
         free(port->type);
-- 
2.39.5