Zebra is ignoring IPv6 link-local addresses on recent Linux kernels #19

NetDEF-CI · 2016-12-19T09:09:52Z

Issue by rwestphal
Thursday Dec 08, 2016 at 17:52 GMT
Originally opened as https://github.com/opensourcerouting/cumulus-private_quagga/issues/9

Regression introduced by commit 6a3b35 ("Zebra: Handle IPv6 address status during initialization").

More specifically, link-local addresses might not meet the following condition on some kernel versions:
https://github.com/opensourcerouting/cumulus-private_quagga/commit/6a3b35#diff-219fcf863f5de80131a9fd6c16919be1R663

Kernel version where this problem is known to happen: 4.4.0-51-generic #72-Ubuntu
Kernel version where this problem is known not to happen: 3.13.0-77-generic #121-Ubuntu

donaldsharp · 2017-01-10T16:15:49Z

This bug was introduced by a patch from Vivek, I'll ask him to look at it real quick

rwestphal · 2017-02-02T15:11:55Z

Apparently this issue is a false alarm.

Vivek's change to ignore IPv6 addresses with the IFA_F_DADFAILED/IFA_F_TENTATIVE flags is correct as these addresses can not be used nor bound to.

I did some more testing here and the problem only happens on a very specific scenario. When you run a VirtualBox VM using a bridged network adapter based on a wlan interface, all IPv6 addresses added to this virtual adapter fail in the IPv6 DAD check (and thus zebra will correctly ignore them). The same doesn't happen if we use the bridge mode based on a wired ethernet interface.

Please see the output below (enp0s3 is bridged on a wlan interface and enp0s8 is bridged on a wired ethernet interface):

# ip -6 addr add 3000::1/64 dev enp0s3
# ip -6 addr add 4000::1/64 dev enp0s8
# ip -6 addr show scope global
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 3000::1/64 scope global tentative dadfailed 
       valid_lft forever preferred_lft forever
3: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 4000::1/64 scope global 
       valid_lft forever preferred_lft forever

Something really obscure is going on here but the problem is definitely not in zebra. And using different kernel versions doesn't change anything, just the test environment.

dsahern · 2017-02-02T18:26:40Z

My results vary on a ubuntu 16.10 VM I just installed:

dsa@ubuntu-1610:~$ uname -a
Linux ubuntu-1610 4.8.0-22-generic #24-Ubuntu SMP Sat Oct 8 09:15:00 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

This interface is bridged to my Wi-Fi and pulls a dhcp address from the router (actual addresses obscured, but it is a valid address):
dsa@ubuntu-1610:~$ ip addr sh enp0s8
3: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 08:00:27:3d:4d:e3 brd ff:ff:ff:ff:ff:ff
inet 172.16.xx.xx/24 brd 172.16.xx.255 scope global enp0s8
valid_lft forever preferred_lft forever
inet6 2601:282:800:xxxx:xxxx:xxxx:xxxx:xxxx/64 scope global mngtmpaddr dynamic
valid_lft 600sec preferred_lft 300sec
inet6 fe80::a00:27ff:fe3d:4de3/64 scope link
valid_lft forever preferred_lft forever

This is using Virtual Box on a Mac running 10.12.2.

donaldsharp · 2017-02-02T18:28:45Z

@rwestphal ok to close this bug then?

rwestphal · 2017-02-02T19:08:10Z

@donaldsharp sure.

Add check for mpls module to more places

When zebra is running with debugs turned on there is a use after free reported by the address sanitizer: 2020/10/16 12:58:02 ZEBRA: rib_delnode: (0:254):4.5.6.16/32: rn 0x60b000026f20, re 0x6080000131a0, removing 2020/10/16 12:58:02 ZEBRA: rib_meta_queue_add: (0:254):4.5.6.16/32: queued rn 0x60b000026f20 into sub-queue 3 ================================================================= ==3101430==ERROR: AddressSanitizer: heap-use-after-free on address 0x608000011d28 at pc 0x555555705ab6 bp 0x7fffffffdab0 sp 0x7fffffffdaa8 READ of size 8 at 0x608000011d28 thread T0 #0 0x555555705ab5 in re_list_const_first zebra/rib.h:222 #1 0x555555705b54 in re_list_first zebra/rib.h:222 #2 0x555555711a4f in process_subq_route zebra/zebra_rib.c:2248 #3 0x555555711d2e in process_subq zebra/zebra_rib.c:2286 #4 0x555555711ec7 in meta_queue_process zebra/zebra_rib.c:2320 #5 0x7ffff74701f7 in work_queue_run lib/workqueue.c:291 #6 0x7ffff7450e9c in thread_call lib/thread.c:1581 #7 0x7ffff738eaf7 in frr_run lib/libfrr.c:1099 #8 0x55555561a578 in main zebra/main.c:455 #9 0x7ffff7079cc9 in __libc_start_main ../csu/libc-start.c:308 #10 0x5555555e3429 in _start (/usr/lib/frr/zebra+0x8f429) 0x608000011d28 is located 8 bytes inside of 88-byte region [0x608000011d20,0x608000011d78) freed by thread T0 here: #0 0x7ffff768bb6f in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.6+0xa9b6f) #1 0x7ffff739ccad in qfree lib/memory.c:129 #2 0x555555709ee4 in rib_gc_dest zebra/zebra_rib.c:746 #3 0x55555570ca76 in rib_process zebra/zebra_rib.c:1240 #4 0x555555711a05 in process_subq_route zebra/zebra_rib.c:2245 #5 0x555555711d2e in process_subq zebra/zebra_rib.c:2286 #6 0x555555711ec7 in meta_queue_process zebra/zebra_rib.c:2320 #7 0x7ffff74701f7 in work_queue_run lib/workqueue.c:291 #8 0x7ffff7450e9c in thread_call lib/thread.c:1581 #9 0x7ffff738eaf7 in frr_run lib/libfrr.c:1099 #10 0x55555561a578 in main zebra/main.c:455 #11 0x7ffff7079cc9 in __libc_start_main ../csu/libc-start.c:308 previously allocated by thread T0 here: #0 0x7ffff768c037 in calloc (/lib/x86_64-linux-gnu/libasan.so.6+0xaa037) #1 0x7ffff739cb98 in qcalloc lib/memory.c:110 #2 0x555555712ace in zebra_rib_create_dest zebra/zebra_rib.c:2515 #3 0x555555712c6c in rib_link zebra/zebra_rib.c:2576 #4 0x555555712faa in rib_addnode zebra/zebra_rib.c:2607 #5 0x555555715bf0 in rib_add_multipath_nhe zebra/zebra_rib.c:3012 #6 0x555555715f56 in rib_add_multipath zebra/zebra_rib.c:3049 #7 0x55555571788b in rib_add zebra/zebra_rib.c:3327 #8 0x5555555e584a in connected_up zebra/connected.c:254 #9 0x5555555e42ff in connected_announce zebra/connected.c:94 #10 0x5555555e4fd3 in connected_update zebra/connected.c:195 #11 0x5555555e61ad in connected_add_ipv4 zebra/connected.c:340 #12 0x5555555f26f5 in netlink_interface_addr zebra/if_netlink.c:1213 #13 0x55555560f756 in netlink_information_fetch zebra/kernel_netlink.c:350 #14 0x555555612e49 in netlink_parse_info zebra/kernel_netlink.c:941 #15 0x55555560f9f1 in kernel_read zebra/kernel_netlink.c:402 #16 0x7ffff7450e9c in thread_call lib/thread.c:1581 #17 0x7ffff738eaf7 in frr_run lib/libfrr.c:1099 #18 0x55555561a578 in main zebra/main.c:455 #19 0x7ffff7079cc9 in __libc_start_main ../csu/libc-start.c:308 SUMMARY: AddressSanitizer: heap-use-after-free zebra/rib.h:222 in re_list_const_first This is happening because we are using the dest pointer after a call into rib_gc_dest. In process_subq_route, we call rib_process() and if the dest is deleted dest pointer is now garbage. We must reload the dest pointer in this case. Signed-off-by: Donald Sharp <sharpd@nvidia.com>

When zebra is running with debugs turned on there is a use after free reported by the address sanitizer: 2020/10/16 12:58:02 ZEBRA: rib_delnode: (0:254):4.5.6.16/32: rn 0x60b000026f20, re 0x6080000131a0, removing 2020/10/16 12:58:02 ZEBRA: rib_meta_queue_add: (0:254):4.5.6.16/32: queued rn 0x60b000026f20 into sub-queue 3 ================================================================= ==3101430==ERROR: AddressSanitizer: heap-use-after-free on address 0x608000011d28 at pc 0x555555705ab6 bp 0x7fffffffdab0 sp 0x7fffffffdaa8 READ of size 8 at 0x608000011d28 thread T0 #0 0x555555705ab5 in re_list_const_first zebra/rib.h:222 FRRouting#1 0x555555705b54 in re_list_first zebra/rib.h:222 FRRouting#2 0x555555711a4f in process_subq_route zebra/zebra_rib.c:2248 FRRouting#3 0x555555711d2e in process_subq zebra/zebra_rib.c:2286 FRRouting#4 0x555555711ec7 in meta_queue_process zebra/zebra_rib.c:2320 FRRouting#5 0x7ffff74701f7 in work_queue_run lib/workqueue.c:291 FRRouting#6 0x7ffff7450e9c in thread_call lib/thread.c:1581 FRRouting#7 0x7ffff738eaf7 in frr_run lib/libfrr.c:1099 FRRouting#8 0x55555561a578 in main zebra/main.c:455 FRRouting#9 0x7ffff7079cc9 in __libc_start_main ../csu/libc-start.c:308 FRRouting#10 0x5555555e3429 in _start (/usr/lib/frr/zebra+0x8f429) 0x608000011d28 is located 8 bytes inside of 88-byte region [0x608000011d20,0x608000011d78) freed by thread T0 here: #0 0x7ffff768bb6f in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.6+0xa9b6f) FRRouting#1 0x7ffff739ccad in qfree lib/memory.c:129 FRRouting#2 0x555555709ee4 in rib_gc_dest zebra/zebra_rib.c:746 FRRouting#3 0x55555570ca76 in rib_process zebra/zebra_rib.c:1240 FRRouting#4 0x555555711a05 in process_subq_route zebra/zebra_rib.c:2245 FRRouting#5 0x555555711d2e in process_subq zebra/zebra_rib.c:2286 FRRouting#6 0x555555711ec7 in meta_queue_process zebra/zebra_rib.c:2320 FRRouting#7 0x7ffff74701f7 in work_queue_run lib/workqueue.c:291 FRRouting#8 0x7ffff7450e9c in thread_call lib/thread.c:1581 FRRouting#9 0x7ffff738eaf7 in frr_run lib/libfrr.c:1099 FRRouting#10 0x55555561a578 in main zebra/main.c:455 FRRouting#11 0x7ffff7079cc9 in __libc_start_main ../csu/libc-start.c:308 previously allocated by thread T0 here: #0 0x7ffff768c037 in calloc (/lib/x86_64-linux-gnu/libasan.so.6+0xaa037) FRRouting#1 0x7ffff739cb98 in qcalloc lib/memory.c:110 FRRouting#2 0x555555712ace in zebra_rib_create_dest zebra/zebra_rib.c:2515 FRRouting#3 0x555555712c6c in rib_link zebra/zebra_rib.c:2576 FRRouting#4 0x555555712faa in rib_addnode zebra/zebra_rib.c:2607 FRRouting#5 0x555555715bf0 in rib_add_multipath_nhe zebra/zebra_rib.c:3012 FRRouting#6 0x555555715f56 in rib_add_multipath zebra/zebra_rib.c:3049 FRRouting#7 0x55555571788b in rib_add zebra/zebra_rib.c:3327 FRRouting#8 0x5555555e584a in connected_up zebra/connected.c:254 FRRouting#9 0x5555555e42ff in connected_announce zebra/connected.c:94 FRRouting#10 0x5555555e4fd3 in connected_update zebra/connected.c:195 FRRouting#11 0x5555555e61ad in connected_add_ipv4 zebra/connected.c:340 FRRouting#12 0x5555555f26f5 in netlink_interface_addr zebra/if_netlink.c:1213 FRRouting#13 0x55555560f756 in netlink_information_fetch zebra/kernel_netlink.c:350 FRRouting#14 0x555555612e49 in netlink_parse_info zebra/kernel_netlink.c:941 FRRouting#15 0x55555560f9f1 in kernel_read zebra/kernel_netlink.c:402 FRRouting#16 0x7ffff7450e9c in thread_call lib/thread.c:1581 FRRouting#17 0x7ffff738eaf7 in frr_run lib/libfrr.c:1099 FRRouting#18 0x55555561a578 in main zebra/main.c:455 FRRouting#19 0x7ffff7079cc9 in __libc_start_main ../csu/libc-start.c:308 SUMMARY: AddressSanitizer: heap-use-after-free zebra/rib.h:222 in re_list_const_first This is happening because we are using the dest pointer after a call into rib_gc_dest. In process_subq_route, we call rib_process() and if the dest is deleted dest pointer is now garbage. We must reload the dest pointer in this case. Signed-off-by: Donald Sharp <sharpd@nvidia.com>

Temporal fix Thread 2.1 "bgpd" received signal SIGSEGV, Segmentation fault. 0x00007ffff7b14180 in route_top (table=0x0) at lib/table.c:401 401 if (table->top == NULL) (gdb) bt \#0 0x00007ffff7b14180 in route_top (table=0x0) at lib/table.c:401 \#1 0x0000555555657286 in bgp_table_top (table=0x55555629c440) at ./bgpd/bgp_table.h:203 \#2 0x0000555555666dd0 in bgp_soft_reconfig_table_flag (srta=0x55555bc68fd0, flag=false) at bgpd/bgp_route.c:4669 \#3 0x0000555555666f5e in bgp_soft_reconfig_table_thread_cancel (nsrta=0x0, bgp=0x5555562767a0) at bgpd/bgp_route.c:4698 \FRRouting#4 0x00005555556e9463 in bgp_delete (bgp=0x5555562767a0) at bgpd/bgpd.c:3482 \FRRouting#5 0x00005555556f9ae5 in bgp_router_destroy (args=0x7fffffff6b90) at bgpd/bgp_nb_config.c:176 \FRRouting#6 0x00007ffff7ad985d in nb_callback_destroy (context=0x7fffffff7180, nb_node=0x555555c0c580, event=NB_EV_APPLY, dnode=0x5555563cdbf0, errmsg=0x7fffffff7190 "", errmsg_len=8192) at lib/northbound.c:970 \FRRouting#7 0x00007ffff7ada17a in nb_callback_configuration (context=0x7fffffff7180, event=NB_EV_APPLY, change=0x55555d5aa560, errmsg=0x7fffffff7190 "", errmsg_len=8192) at lib/northbound.c:1195 \FRRouting#8 0x00007ffff7ada564 in nb_transaction_process (event=NB_EV_APPLY, transaction=0x55556a6ed510, errmsg=0x7fffffff7190 "", errmsg_len=8192) at lib/northbound.c:1312 \FRRouting#9 0x00007ffff7ad900b in nb_candidate_commit_apply (transaction=0x55556a6ed510, save_transaction=true, transaction_id=0x0, errmsg=0x7fffffff7190 "", errmsg_len=8192) at lib/northbound.c:745 \FRRouting#10 0x00007ffff7ad912e in nb_candidate_commit (context=0x7fffffff7180, candidate=0x555555bddd00, save_transaction=true, comment=0x0, transaction_id=0x0, errmsg=0x7fffffff7190 "", errmsg_len=8192) at lib/northbound.c:777 \FRRouting#11 0x00007ffff7ae0249 in nb_cli_classic_commit (vty=0x555557b62790) at lib/northbound_cli.c:64 \FRRouting#12 0x00007ffff7ae0cce in nb_cli_apply_changes (vty=0x555557b62790, xpath_base_fmt=0x7fffffffb730 "/frr-routing:routing/control-plane-protocols/control-plane-protocol[type='frr-bgp:bgp'][name='bgp'][vrf='default']/frr-bgp:bgp") at lib/northbound_cli.c:281 \FRRouting#13 0x00005555556a01e6 in no_router_bgp (self=0x555555a28140 <no_router_bgp_cmd>, vty=0x555557b62790, argc=3, argv=0x555560be1bd0) at bgpd/bgp_vty.c:1466 \FRRouting#14 0x00007ffff7a90ebc in cmd_execute_command_real (vline=0x55556635c140, filter=FILTER_RELAXED, vty=0x555557b62790, cmd=0x0) at lib/command.c:938 \FRRouting#15 0x00007ffff7a91031 in cmd_execute_command (vline=0x55556635c140, vty=0x555557b62790, cmd=0x0, vtysh=0) at lib/command.c:997 \FRRouting#16 0x00007ffff7a91586 in cmd_execute (vty=0x555557b62790, cmd=0x555557b68f20 "no router bgp", matched=0x0, vtysh=0) at lib/command.c:1162 \FRRouting#17 0x00007ffff7b228f9 in vty_command (vty=0x555557b62790, buf=0x555557b68f20 "no router bgp") at lib/vty.c:517 \FRRouting#18 0x00007ffff7b2465b in vty_execute (vty=0x555557b62790) at lib/vty.c:1282 \FRRouting#19 0x00007ffff7b2656e in vtysh_read (thread=0x7fffffffe2e0) at lib/vty.c:2120 \FRRouting#20 0x00007ffff7b1bd23 in thread_call (thread=0x7fffffffe2e0) at lib/thread.c:1681 \FRRouting#21 0x00007ffff7ac7fc2 in frr_run (master=0x555555a6aab0) at lib/libfrr.c:1110 \FRRouting#22 0x00005555555d88b2 in main (argc=4, argv=0x7fffffffe518) at bgpd/bgp_main.c:523 Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com>

When zebra is running with debugs turned on there is a use after free reported by the address sanitizer: 2020/10/16 12:58:02 ZEBRA: rib_delnode: (0:254):4.5.6.16/32: rn 0x60b000026f20, re 0x6080000131a0, removing 2020/10/16 12:58:02 ZEBRA: rib_meta_queue_add: (0:254):4.5.6.16/32: queued rn 0x60b000026f20 into sub-queue 3 ================================================================= ==3101430==ERROR: AddressSanitizer: heap-use-after-free on address 0x608000011d28 at pc 0x555555705ab6 bp 0x7fffffffdab0 sp 0x7fffffffdaa8 READ of size 8 at 0x608000011d28 thread T0 #0 0x555555705ab5 in re_list_const_first zebra/rib.h:222 #1 0x555555705b54 in re_list_first zebra/rib.h:222 #2 0x555555711a4f in process_subq_route zebra/zebra_rib.c:2248 FRRouting#3 0x555555711d2e in process_subq zebra/zebra_rib.c:2286 FRRouting#4 0x555555711ec7 in meta_queue_process zebra/zebra_rib.c:2320 FRRouting#5 0x7ffff74701f7 in work_queue_run lib/workqueue.c:291 FRRouting#6 0x7ffff7450e9c in thread_call lib/thread.c:1581 FRRouting#7 0x7ffff738eaf7 in frr_run lib/libfrr.c:1099 FRRouting#8 0x55555561a578 in main zebra/main.c:455 FRRouting#9 0x7ffff7079cc9 in __libc_start_main ../csu/libc-start.c:308 FRRouting#10 0x5555555e3429 in _start (/usr/lib/frr/zebra+0x8f429) 0x608000011d28 is located 8 bytes inside of 88-byte region [0x608000011d20,0x608000011d78) freed by thread T0 here: #0 0x7ffff768bb6f in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.6+0xa9b6f) #1 0x7ffff739ccad in qfree lib/memory.c:129 #2 0x555555709ee4 in rib_gc_dest zebra/zebra_rib.c:746 FRRouting#3 0x55555570ca76 in rib_process zebra/zebra_rib.c:1240 FRRouting#4 0x555555711a05 in process_subq_route zebra/zebra_rib.c:2245 FRRouting#5 0x555555711d2e in process_subq zebra/zebra_rib.c:2286 FRRouting#6 0x555555711ec7 in meta_queue_process zebra/zebra_rib.c:2320 FRRouting#7 0x7ffff74701f7 in work_queue_run lib/workqueue.c:291 FRRouting#8 0x7ffff7450e9c in thread_call lib/thread.c:1581 FRRouting#9 0x7ffff738eaf7 in frr_run lib/libfrr.c:1099 FRRouting#10 0x55555561a578 in main zebra/main.c:455 FRRouting#11 0x7ffff7079cc9 in __libc_start_main ../csu/libc-start.c:308 previously allocated by thread T0 here: #0 0x7ffff768c037 in calloc (/lib/x86_64-linux-gnu/libasan.so.6+0xaa037) #1 0x7ffff739cb98 in qcalloc lib/memory.c:110 #2 0x555555712ace in zebra_rib_create_dest zebra/zebra_rib.c:2515 FRRouting#3 0x555555712c6c in rib_link zebra/zebra_rib.c:2576 FRRouting#4 0x555555712faa in rib_addnode zebra/zebra_rib.c:2607 FRRouting#5 0x555555715bf0 in rib_add_multipath_nhe zebra/zebra_rib.c:3012 FRRouting#6 0x555555715f56 in rib_add_multipath zebra/zebra_rib.c:3049 FRRouting#7 0x55555571788b in rib_add zebra/zebra_rib.c:3327 FRRouting#8 0x5555555e584a in connected_up zebra/connected.c:254 FRRouting#9 0x5555555e42ff in connected_announce zebra/connected.c:94 FRRouting#10 0x5555555e4fd3 in connected_update zebra/connected.c:195 FRRouting#11 0x5555555e61ad in connected_add_ipv4 zebra/connected.c:340 FRRouting#12 0x5555555f26f5 in netlink_interface_addr zebra/if_netlink.c:1213 FRRouting#13 0x55555560f756 in netlink_information_fetch zebra/kernel_netlink.c:350 FRRouting#14 0x555555612e49 in netlink_parse_info zebra/kernel_netlink.c:941 FRRouting#15 0x55555560f9f1 in kernel_read zebra/kernel_netlink.c:402 FRRouting#16 0x7ffff7450e9c in thread_call lib/thread.c:1581 FRRouting#17 0x7ffff738eaf7 in frr_run lib/libfrr.c:1099 FRRouting#18 0x55555561a578 in main zebra/main.c:455 FRRouting#19 0x7ffff7079cc9 in __libc_start_main ../csu/libc-start.c:308 SUMMARY: AddressSanitizer: heap-use-after-free zebra/rib.h:222 in re_list_const_first This is happening because we are using the dest pointer after a call into rib_gc_dest. In process_subq_route, we call rib_process() and if the dest is deleted dest pointer is now garbage. We must reload the dest pointer in this case. Signed-off-by: Donald Sharp <sharpd@nvidia.com>

lib: fix cmgd commit-apply delay.

ASAN reported the following memleak: ``` Direct leak of 40 byte(s) in 1 object(s) allocated from: #0 0x4d4342 in calloc (/usr/lib/frr/bgpd+0x4d4342) FRRouting#1 0xbc3d68 in qcalloc /home/sharpd/frr8/lib/memory.c:116:27 FRRouting#2 0xb869f7 in list_new /home/sharpd/frr8/lib/linklist.c:64:9 FRRouting#3 0x5a38bc in bgp_evpn_remote_ip_hash_alloc /home/sharpd/frr8/bgpd/bgp_evpn.c:6789:24 FRRouting#4 0xb358d3 in hash_get /home/sharpd/frr8/lib/hash.c:162:13 FRRouting#5 0x593d39 in bgp_evpn_remote_ip_hash_add /home/sharpd/frr8/bgpd/bgp_evpn.c:6881:7 FRRouting#6 0x59dbbd in install_evpn_route_entry_in_vni_common /home/sharpd/frr8/bgpd/bgp_evpn.c:3049:2 FRRouting#7 0x59cfe0 in install_evpn_route_entry_in_vni_ip /home/sharpd/frr8/bgpd/bgp_evpn.c:3126:8 FRRouting#8 0x59c6f0 in install_evpn_route_entry /home/sharpd/frr8/bgpd/bgp_evpn.c:3318:8 FRRouting#9 0x59bb52 in install_uninstall_route_in_vnis /home/sharpd/frr8/bgpd/bgp_evpn.c:3888:10 FRRouting#10 0x59b6d2 in bgp_evpn_install_uninstall_table /home/sharpd/frr8/bgpd/bgp_evpn.c:4019:5 FRRouting#11 0x578857 in install_uninstall_evpn_route /home/sharpd/frr8/bgpd/bgp_evpn.c:4051:9 FRRouting#12 0x58ada6 in bgp_evpn_import_route /home/sharpd/frr8/bgpd/bgp_evpn.c:6049:9 FRRouting#13 0x713794 in bgp_update /home/sharpd/frr8/bgpd/bgp_route.c:4842:3 FRRouting#14 0x583fa0 in process_type2_route /home/sharpd/frr8/bgpd/bgp_evpn.c:4518:9 FRRouting#15 0x5824ba in bgp_nlri_parse_evpn /home/sharpd/frr8/bgpd/bgp_evpn.c:5732:8 FRRouting#16 0x6ae6a2 in bgp_nlri_parse /home/sharpd/frr8/bgpd/bgp_packet.c:363:10 FRRouting#17 0x6be6fa in bgp_update_receive /home/sharpd/frr8/bgpd/bgp_packet.c:2020:15 FRRouting#18 0x6b7433 in bgp_process_packet /home/sharpd/frr8/bgpd/bgp_packet.c:2929:11 FRRouting#19 0xd00146 in thread_call /home/sharpd/frr8/lib/thread.c:2006:2 ``` The list itself was not being cleaned up when the final list entry was removed, so make sure we do that instead of leaking memory. Signed-off-by: Trey Aspelund <taspelund@nvidia.com>

A BGP crash happens when the 'show bgp label-nexthop' is executed, on a BGP VRF configuration with the 'label vpn export allocation-mode per-nexthop' command configured. > (gdb) bt > #0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=140039420118912) at ./nptl/pthread_kill.c:44 > FRRouting#1 __pthread_kill_internal (signo=6, threadid=140039420118912) at ./nptl/pthread_kill.c:78 > FRRouting#2 __GI___pthread_kill (threadid=140039420118912, signo=signo@entry=6) at ./nptl/pthread_kill.c:89 > FRRouting#3 0x00007f5d78063476 in __GI_raise (sig=6) at ../sysdeps/posix/raise.c:26 > FRRouting#4 0x00007f5d78448705 in core_handler (signo=6, siginfo=0x7ffffe2e0f70, context=0x7ffffe2e0e40) > at /build/make-pkg/output/_packages/cp-routing/src/lib/sigevent.c:262 > FRRouting#5 <signal handler called> > FRRouting#6 __pthread_kill_implementation (no_tid=0, signo=6, threadid=140039420118912) at ./nptl/pthread_kill.c:44 > FRRouting#7 __pthread_kill_internal (signo=6, threadid=140039420118912) at ./nptl/pthread_kill.c:78 > FRRouting#8 __GI___pthread_kill (threadid=140039420118912, signo=signo@entry=6) at ./nptl/pthread_kill.c:89 > FRRouting#9 0x00007f5d78063476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 > FRRouting#10 0x00007f5d780497f3 in __GI_abort () at ./stdlib/abort.c:79 > FRRouting#11 0x00007f5d7848872f in _zlog_assert_failed (xref=0x5605f59a4ec0 <_xref.9>, extra=0x0) > at /build/make-pkg/output/_packages/cp-routing/src/lib/zlog.c:557 > FRRouting#12 0x00005605f57ad3ab in show_bgp_nexthop_label_afi (vty=0x5605f79138e0, afi=AFI_IP, bgp=0x5605f7855090, detail=true) > at /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_labelpool.c:1071 > FRRouting#13 0x00005605f57ad62a in show_bgp_nexthop_label (self=0x5605f59a4920 <show_bgp_nexthop_label_cmd>, vty=0x5605f79138e0, argc=6, argv=0x5605f77c5cc0) > at /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_labelpool.c:1116 > FRRouting#14 0x00007f5d783bb858 in cmd_execute_command_real (vline=0x5605f791c060, filter=FILTER_RELAXED, vty=0x5605f79138e0, cmd=0x0, up_level=0) > at /build/make-pkg/output/_packages/cp-routing/src/lib/command.c:1070 > FRRouting#15 0x00007f5d783bb9dd in cmd_execute_command (vline=0x5605f791c060, vty=0x5605f79138e0, cmd=0x0, vtysh=0) > at /build/make-pkg/output/_packages/cp-routing/src/lib/command.c:1130 > FRRouting#16 0x00007f5d783bbf8a in cmd_execute (vty=0x5605f79138e0, cmd=0x5605f791a010 "show bgp vrf vrf1 label-nexthop detail", matched=0x0, vtysh=0) > at /build/make-pkg/output/_packages/cp-routing/src/lib/command.c:1294 > FRRouting#17 0x00007f5d7846965c in vty_command (vty=0x5605f79138e0, buf=0x5605f791a010 "show bgp vrf vrf1 label-nexthop detail") > at /build/make-pkg/output/_packages/cp-routing/src/lib/vty.c:530 > FRRouting#18 0x00007f5d7846b52c in vty_execute (vty=0x5605f79138e0) at /build/make-pkg/output/_packages/cp-routing/src/lib/vty.c:1296 > FRRouting#19 0x00007f5d7846d508 in vtysh_read (thread=0x7ffffe2e4410) at /build/make-pkg/output/_packages/cp-routing/src/lib/vty.c:2137 > FRRouting#20 0x00007f5d78461fe6 in thread_call (thread=0x7ffffe2e4410) at /build/make-pkg/output/_packages/cp-routing/src/lib/thread.c:1825 > > (gdb) frame 12 > FRRouting#12 0x00005605f57ad3ab in show_bgp_nexthop_label_afi (vty=0x5605f79138e0, afi=AFI_IP, bgp=0x5605f7855090, detail=true) > at /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_labelpool.c:1071 > This crash is a segmentation fault: the 'path' pointer is not a valid pointer; consequently, the 'dest' and the 'table' pointer are also invalid. The 'path' pointer is a 'bgp_path_info' structure previously freed when a peer down event occured. The 'show bgp label-nexthop' command was attempting to dump the 'bgp_path_info' entries referenced in the 'bgp_label_per_nexthop_cache' entries. As the 'bgp_path_info' entries were invalid, the crash happened. To illustrate, the below dump shows 3 path entries linked to the '192.0.2.11' next-hop, whereas the '192.0.2.11' peer has been removed. > dut-vm# show bgp vrf vrf1 label-nexthop > Current BGP label nexthop cache for IPv4, VRF VRF vrf1 > 192.0.2.11, label 20 #paths 3 > if r1-eth1 > Last update: Wed May 24 15:16:21 2023 > dut-vm# show bgp vrf vrf1 label-nexthop detail > <-- crash When the 'bgp_path_info' entries are freed, the 'bgp_mplsvpn_path_nh_label_unlink()' function is called. The 'pi->net' pointer is needed to check the BGP RIB table is the SAFI_UNICAST routing table, and to de-reference the 'bgp_labl_per_nexthop_cache' entry from the 'bgp_path_info' entry. In this case, the 'pi->net' was unset. Fix this by introducing a new 'mplsvpn_usage' field to determine if the 'bgp_path_info' structure contains a 'bgp_mplsvpn_label_nh' structure. Fixes: ("bgpd: allocate label bound to received mpls vpn routes") Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>

This commit ensures proper cleanup by deleting the gm_join_list when a PIM interface is deleted. The gm_join_list was previously not being freed, causing a memory leak. The ASan leak log for reference: ``` *********************************************************************************** Address Sanitizer Error detected in multicast_mld_join_topo1.test_multicast_mld_local_join/r1.asan.pim6d.28070 ================================================================= ==28070==ERROR: LeakSanitizer: detected memory leaks Direct leak of 40 byte(s) in 1 object(s) allocated from: #0 0x7f3605dbfd28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) FRRouting#1 0x56230373dd6b in qcalloc lib/memory.c:105 FRRouting#2 0x56230372180f in list_new lib/linklist.c:49 FRRouting#3 0x56230361b589 in pim_if_gm_join_add pimd/pim_iface.c:1313 FRRouting#4 0x562303642247 in lib_interface_gmp_address_family_static_group_create pimd/pim_nb_config.c:2868 FRRouting#5 0x562303767280 in nb_callback_create lib/northbound.c:1235 FRRouting#6 0x562303767280 in nb_callback_configuration lib/northbound.c:1579 FRRouting#7 0x562303768a1d in nb_transaction_process lib/northbound.c:1710 FRRouting#8 0x56230376904a in nb_candidate_commit_apply lib/northbound.c:1104 FRRouting#9 0x5623037692ba in nb_candidate_commit lib/northbound.c:1137 FRRouting#10 0x562303769dec in nb_cli_classic_commit lib/northbound_cli.c:49 FRRouting#11 0x56230376fb79 in nb_cli_pending_commit_check lib/northbound_cli.c:88 FRRouting#12 0x5623036c5bcb in cmd_execute_command_real lib/command.c:991 FRRouting#13 0x5623036c5f1b in cmd_execute_command lib/command.c:1053 FRRouting#14 0x5623036c6392 in cmd_execute lib/command.c:1221 FRRouting#15 0x5623037e75da in vty_command lib/vty.c:591 FRRouting#16 0x5623037e7a74 in vty_execute lib/vty.c:1354 FRRouting#17 0x5623037f0253 in vtysh_read lib/vty.c:2362 FRRouting#18 0x5623037db4e8 in event_call lib/event.c:1995 FRRouting#19 0x562303720f97 in frr_run lib/libfrr.c:1213 FRRouting#20 0x56230368615d in main pimd/pim6_main.c:184 FRRouting#21 0x7f360461bc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Indirect leak of 192 byte(s) in 4 object(s) allocated from: #0 0x7f3605dbfd28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) FRRouting#1 0x56230373dd6b in qcalloc lib/memory.c:105 FRRouting#2 0x56230361b91d in gm_join_new pimd/pim_iface.c:1288 FRRouting#3 0x56230361b91d in pim_if_gm_join_add pimd/pim_iface.c:1326 FRRouting#4 0x562303642247 in lib_interface_gmp_address_family_static_group_create pimd/pim_nb_config.c:2868 FRRouting#5 0x562303767280 in nb_callback_create lib/northbound.c:1235 FRRouting#6 0x562303767280 in nb_callback_configuration lib/northbound.c:1579 FRRouting#7 0x562303768a1d in nb_transaction_process lib/northbound.c:1710 FRRouting#8 0x56230376904a in nb_candidate_commit_apply lib/northbound.c:1104 FRRouting#9 0x5623037692ba in nb_candidate_commit lib/northbound.c:1137 FRRouting#10 0x562303769dec in nb_cli_classic_commit lib/northbound_cli.c:49 FRRouting#11 0x56230376fb79 in nb_cli_pending_commit_check lib/northbound_cli.c:88 FRRouting#12 0x5623036c5bcb in cmd_execute_command_real lib/command.c:991 FRRouting#13 0x5623036c5f1b in cmd_execute_command lib/command.c:1053 FRRouting#14 0x5623036c6392 in cmd_execute lib/command.c:1221 FRRouting#15 0x5623037e75da in vty_command lib/vty.c:591 FRRouting#16 0x5623037e7a74 in vty_execute lib/vty.c:1354 FRRouting#17 0x5623037f0253 in vtysh_read lib/vty.c:2362 FRRouting#18 0x5623037db4e8 in event_call lib/event.c:1995 FRRouting#19 0x562303720f97 in frr_run lib/libfrr.c:1213 FRRouting#20 0x56230368615d in main pimd/pim6_main.c:184 FRRouting#21 0x7f360461bc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Indirect leak of 96 byte(s) in 4 object(s) allocated from: #0 0x7f3605dbfd28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) FRRouting#1 0x56230373dd6b in qcalloc lib/memory.c:105 FRRouting#2 0x562303721651 in listnode_new lib/linklist.c:71 FRRouting#3 0x56230372182b in listnode_add lib/linklist.c:92 FRRouting#4 0x56230361ba9a in gm_join_new pimd/pim_iface.c:1295 FRRouting#5 0x56230361ba9a in pim_if_gm_join_add pimd/pim_iface.c:1326 FRRouting#6 0x562303642247 in lib_interface_gmp_address_family_static_group_create pimd/pim_nb_config.c:2868 FRRouting#7 0x562303767280 in nb_callback_create lib/northbound.c:1235 FRRouting#8 0x562303767280 in nb_callback_configuration lib/northbound.c:1579 FRRouting#9 0x562303768a1d in nb_transaction_process lib/northbound.c:1710 FRRouting#10 0x56230376904a in nb_candidate_commit_apply lib/northbound.c:1104 FRRouting#11 0x5623037692ba in nb_candidate_commit lib/northbound.c:1137 FRRouting#12 0x562303769dec in nb_cli_classic_commit lib/northbound_cli.c:49 FRRouting#13 0x56230376fb79 in nb_cli_pending_commit_check lib/northbound_cli.c:88 FRRouting#14 0x5623036c5bcb in cmd_execute_command_real lib/command.c:991 FRRouting#15 0x5623036c5f1b in cmd_execute_command lib/command.c:1053 FRRouting#16 0x5623036c6392 in cmd_execute lib/command.c:1221 FRRouting#17 0x5623037e75da in vty_command lib/vty.c:591 FRRouting#18 0x5623037e7a74 in vty_execute lib/vty.c:1354 FRRouting#19 0x5623037f0253 in vtysh_read lib/vty.c:2362 FRRouting#20 0x5623037db4e8 in event_call lib/event.c:1995 FRRouting#21 0x562303720f97 in frr_run lib/libfrr.c:1213 FRRouting#22 0x56230368615d in main pimd/pim6_main.c:184 FRRouting#23 0x7f360461bc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Indirect leak of 48 byte(s) in 1 object(s) allocated from: #0 0x7f3605dbfd28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) FRRouting#1 0x56230373dd6b in qcalloc lib/memory.c:105 FRRouting#2 0x56230361b91d in gm_join_new pimd/pim_iface.c:1288 FRRouting#3 0x56230361b91d in pim_if_gm_join_add pimd/pim_iface.c:1326 FRRouting#4 0x562303642247 in lib_interface_gmp_address_family_static_group_create pimd/pim_nb_config.c:2868 FRRouting#5 0x562303767280 in nb_callback_create lib/northbound.c:1235 FRRouting#6 0x562303767280 in nb_callback_configuration lib/northbound.c:1579 FRRouting#7 0x562303768a1d in nb_transaction_process lib/northbound.c:1710 FRRouting#8 0x56230376904a in nb_candidate_commit_apply lib/northbound.c:1104 FRRouting#9 0x5623037692ba in nb_candidate_commit lib/northbound.c:1137 FRRouting#10 0x562303769dec in nb_cli_classic_commit lib/northbound_cli.c:49 FRRouting#11 0x56230376fb79 in nb_cli_pending_commit_check lib/northbound_cli.c:88 FRRouting#12 0x5623036c5bcb in cmd_execute_command_real lib/command.c:991 FRRouting#13 0x5623036c5f6f in cmd_execute_command lib/command.c:1072 FRRouting#14 0x5623036c6392 in cmd_execute lib/command.c:1221 FRRouting#15 0x5623037e75da in vty_command lib/vty.c:591 FRRouting#16 0x5623037e7a74 in vty_execute lib/vty.c:1354 FRRouting#17 0x5623037f0253 in vtysh_read lib/vty.c:2362 FRRouting#18 0x5623037db4e8 in event_call lib/event.c:1995 FRRouting#19 0x562303720f97 in frr_run lib/libfrr.c:1213 FRRouting#20 0x56230368615d in main pimd/pim6_main.c:184 FRRouting#21 0x7f360461bc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Indirect leak of 24 byte(s) in 1 object(s) allocated from: #0 0x7f3605dbfd28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) FRRouting#1 0x56230373dd6b in qcalloc lib/memory.c:105 FRRouting#2 0x562303721651 in listnode_new lib/linklist.c:71 FRRouting#3 0x56230372182b in listnode_add lib/linklist.c:92 FRRouting#4 0x56230361ba9a in gm_join_new pimd/pim_iface.c:1295 FRRouting#5 0x56230361ba9a in pim_if_gm_join_add pimd/pim_iface.c:1326 FRRouting#6 0x562303642247 in lib_interface_gmp_address_family_static_group_create pimd/pim_nb_config.c:2868 FRRouting#7 0x562303767280 in nb_callback_create lib/northbound.c:1235 FRRouting#8 0x562303767280 in nb_callback_configuration lib/northbound.c:1579 FRRouting#9 0x562303768a1d in nb_transaction_process lib/northbound.c:1710 FRRouting#10 0x56230376904a in nb_candidate_commit_apply lib/northbound.c:1104 FRRouting#11 0x5623037692ba in nb_candidate_commit lib/northbound.c:1137 FRRouting#12 0x562303769dec in nb_cli_classic_commit lib/northbound_cli.c:49 FRRouting#13 0x56230376fb79 in nb_cli_pending_commit_check lib/northbound_cli.c:88 FRRouting#14 0x5623036c5bcb in cmd_execute_command_real lib/command.c:991 FRRouting#15 0x5623036c5f6f in cmd_execute_command lib/command.c:1072 FRRouting#16 0x5623036c6392 in cmd_execute lib/command.c:1221 FRRouting#17 0x5623037e75da in vty_command lib/vty.c:591 FRRouting#18 0x5623037e7a74 in vty_execute lib/vty.c:1354 FRRouting#19 0x5623037f0253 in vtysh_read lib/vty.c:2362 FRRouting#20 0x5623037db4e8 in event_call lib/event.c:1995 FRRouting#21 0x562303720f97 in frr_run lib/libfrr.c:1213 FRRouting#22 0x56230368615d in main pimd/pim6_main.c:184 FRRouting#23 0x7f360461bc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) SUMMARY: AddressSanitizer: 400 byte(s) leaked in 11 allocation(s). *********************************************************************************** ``` Signed-off-by: Keelan Cannoo <keelan.cannoo@icloud.com>

This commit ensures proper cleanup by deleting the gm_join_list when a PIM interface is deleted. The gm_join_list was previously not being freed, causing a memory leak. The ASan leak log for reference: ``` *********************************************************************************** Address Sanitizer Error detected in multicast_mld_join_topo1.test_multicast_mld_local_join/r1.asan.pim6d.28070 ================================================================= ==28070==ERROR: LeakSanitizer: detected memory leaks Direct leak of 40 byte(s) in 1 object(s) allocated from: #0 0x7f3605dbfd28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) #1 0x56230373dd6b in qcalloc lib/memory.c:105 #2 0x56230372180f in list_new lib/linklist.c:49 #3 0x56230361b589 in pim_if_gm_join_add pimd/pim_iface.c:1313 #4 0x562303642247 in lib_interface_gmp_address_family_static_group_create pimd/pim_nb_config.c:2868 #5 0x562303767280 in nb_callback_create lib/northbound.c:1235 #6 0x562303767280 in nb_callback_configuration lib/northbound.c:1579 #7 0x562303768a1d in nb_transaction_process lib/northbound.c:1710 #8 0x56230376904a in nb_candidate_commit_apply lib/northbound.c:1104 #9 0x5623037692ba in nb_candidate_commit lib/northbound.c:1137 #10 0x562303769dec in nb_cli_classic_commit lib/northbound_cli.c:49 #11 0x56230376fb79 in nb_cli_pending_commit_check lib/northbound_cli.c:88 #12 0x5623036c5bcb in cmd_execute_command_real lib/command.c:991 #13 0x5623036c5f1b in cmd_execute_command lib/command.c:1053 #14 0x5623036c6392 in cmd_execute lib/command.c:1221 #15 0x5623037e75da in vty_command lib/vty.c:591 #16 0x5623037e7a74 in vty_execute lib/vty.c:1354 #17 0x5623037f0253 in vtysh_read lib/vty.c:2362 #18 0x5623037db4e8 in event_call lib/event.c:1995 #19 0x562303720f97 in frr_run lib/libfrr.c:1213 #20 0x56230368615d in main pimd/pim6_main.c:184 #21 0x7f360461bc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Indirect leak of 192 byte(s) in 4 object(s) allocated from: #0 0x7f3605dbfd28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) #1 0x56230373dd6b in qcalloc lib/memory.c:105 #2 0x56230361b91d in gm_join_new pimd/pim_iface.c:1288 #3 0x56230361b91d in pim_if_gm_join_add pimd/pim_iface.c:1326 #4 0x562303642247 in lib_interface_gmp_address_family_static_group_create pimd/pim_nb_config.c:2868 #5 0x562303767280 in nb_callback_create lib/northbound.c:1235 #6 0x562303767280 in nb_callback_configuration lib/northbound.c:1579 #7 0x562303768a1d in nb_transaction_process lib/northbound.c:1710 #8 0x56230376904a in nb_candidate_commit_apply lib/northbound.c:1104 #9 0x5623037692ba in nb_candidate_commit lib/northbound.c:1137 #10 0x562303769dec in nb_cli_classic_commit lib/northbound_cli.c:49 #11 0x56230376fb79 in nb_cli_pending_commit_check lib/northbound_cli.c:88 #12 0x5623036c5bcb in cmd_execute_command_real lib/command.c:991 #13 0x5623036c5f1b in cmd_execute_command lib/command.c:1053 #14 0x5623036c6392 in cmd_execute lib/command.c:1221 #15 0x5623037e75da in vty_command lib/vty.c:591 #16 0x5623037e7a74 in vty_execute lib/vty.c:1354 #17 0x5623037f0253 in vtysh_read lib/vty.c:2362 #18 0x5623037db4e8 in event_call lib/event.c:1995 #19 0x562303720f97 in frr_run lib/libfrr.c:1213 #20 0x56230368615d in main pimd/pim6_main.c:184 #21 0x7f360461bc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Indirect leak of 96 byte(s) in 4 object(s) allocated from: #0 0x7f3605dbfd28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) #1 0x56230373dd6b in qcalloc lib/memory.c:105 #2 0x562303721651 in listnode_new lib/linklist.c:71 #3 0x56230372182b in listnode_add lib/linklist.c:92 #4 0x56230361ba9a in gm_join_new pimd/pim_iface.c:1295 #5 0x56230361ba9a in pim_if_gm_join_add pimd/pim_iface.c:1326 #6 0x562303642247 in lib_interface_gmp_address_family_static_group_create pimd/pim_nb_config.c:2868 #7 0x562303767280 in nb_callback_create lib/northbound.c:1235 #8 0x562303767280 in nb_callback_configuration lib/northbound.c:1579 #9 0x562303768a1d in nb_transaction_process lib/northbound.c:1710 #10 0x56230376904a in nb_candidate_commit_apply lib/northbound.c:1104 #11 0x5623037692ba in nb_candidate_commit lib/northbound.c:1137 #12 0x562303769dec in nb_cli_classic_commit lib/northbound_cli.c:49 #13 0x56230376fb79 in nb_cli_pending_commit_check lib/northbound_cli.c:88 #14 0x5623036c5bcb in cmd_execute_command_real lib/command.c:991 #15 0x5623036c5f1b in cmd_execute_command lib/command.c:1053 #16 0x5623036c6392 in cmd_execute lib/command.c:1221 #17 0x5623037e75da in vty_command lib/vty.c:591 #18 0x5623037e7a74 in vty_execute lib/vty.c:1354 #19 0x5623037f0253 in vtysh_read lib/vty.c:2362 #20 0x5623037db4e8 in event_call lib/event.c:1995 #21 0x562303720f97 in frr_run lib/libfrr.c:1213 #22 0x56230368615d in main pimd/pim6_main.c:184 #23 0x7f360461bc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Indirect leak of 48 byte(s) in 1 object(s) allocated from: #0 0x7f3605dbfd28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) #1 0x56230373dd6b in qcalloc lib/memory.c:105 #2 0x56230361b91d in gm_join_new pimd/pim_iface.c:1288 #3 0x56230361b91d in pim_if_gm_join_add pimd/pim_iface.c:1326 #4 0x562303642247 in lib_interface_gmp_address_family_static_group_create pimd/pim_nb_config.c:2868 #5 0x562303767280 in nb_callback_create lib/northbound.c:1235 #6 0x562303767280 in nb_callback_configuration lib/northbound.c:1579 #7 0x562303768a1d in nb_transaction_process lib/northbound.c:1710 #8 0x56230376904a in nb_candidate_commit_apply lib/northbound.c:1104 #9 0x5623037692ba in nb_candidate_commit lib/northbound.c:1137 #10 0x562303769dec in nb_cli_classic_commit lib/northbound_cli.c:49 #11 0x56230376fb79 in nb_cli_pending_commit_check lib/northbound_cli.c:88 #12 0x5623036c5bcb in cmd_execute_command_real lib/command.c:991 #13 0x5623036c5f6f in cmd_execute_command lib/command.c:1072 #14 0x5623036c6392 in cmd_execute lib/command.c:1221 #15 0x5623037e75da in vty_command lib/vty.c:591 #16 0x5623037e7a74 in vty_execute lib/vty.c:1354 #17 0x5623037f0253 in vtysh_read lib/vty.c:2362 #18 0x5623037db4e8 in event_call lib/event.c:1995 #19 0x562303720f97 in frr_run lib/libfrr.c:1213 #20 0x56230368615d in main pimd/pim6_main.c:184 #21 0x7f360461bc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Indirect leak of 24 byte(s) in 1 object(s) allocated from: #0 0x7f3605dbfd28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) #1 0x56230373dd6b in qcalloc lib/memory.c:105 #2 0x562303721651 in listnode_new lib/linklist.c:71 #3 0x56230372182b in listnode_add lib/linklist.c:92 #4 0x56230361ba9a in gm_join_new pimd/pim_iface.c:1295 #5 0x56230361ba9a in pim_if_gm_join_add pimd/pim_iface.c:1326 #6 0x562303642247 in lib_interface_gmp_address_family_static_group_create pimd/pim_nb_config.c:2868 #7 0x562303767280 in nb_callback_create lib/northbound.c:1235 #8 0x562303767280 in nb_callback_configuration lib/northbound.c:1579 #9 0x562303768a1d in nb_transaction_process lib/northbound.c:1710 #10 0x56230376904a in nb_candidate_commit_apply lib/northbound.c:1104 #11 0x5623037692ba in nb_candidate_commit lib/northbound.c:1137 #12 0x562303769dec in nb_cli_classic_commit lib/northbound_cli.c:49 #13 0x56230376fb79 in nb_cli_pending_commit_check lib/northbound_cli.c:88 #14 0x5623036c5bcb in cmd_execute_command_real lib/command.c:991 #15 0x5623036c5f6f in cmd_execute_command lib/command.c:1072 #16 0x5623036c6392 in cmd_execute lib/command.c:1221 #17 0x5623037e75da in vty_command lib/vty.c:591 #18 0x5623037e7a74 in vty_execute lib/vty.c:1354 #19 0x5623037f0253 in vtysh_read lib/vty.c:2362 #20 0x5623037db4e8 in event_call lib/event.c:1995 #21 0x562303720f97 in frr_run lib/libfrr.c:1213 #22 0x56230368615d in main pimd/pim6_main.c:184 #23 0x7f360461bc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) SUMMARY: AddressSanitizer: 400 byte(s) leaked in 11 allocation(s). *********************************************************************************** ``` Signed-off-by: Keelan Cannoo <keelan.cannoo@icloud.com> (cherry picked from commit 24379f0)

This commit ensures proper cleanup by deleting the gm_join_list when a PIM interface is deleted. The gm_join_list was previously not being freed, causing a memory leak. The ASan leak log for reference: ``` *********************************************************************************** Address Sanitizer Error detected in multicast_mld_join_topo1.test_multicast_mld_local_join/r1.asan.pim6d.28070 ================================================================= ==28070==ERROR: LeakSanitizer: detected memory leaks Direct leak of 40 byte(s) in 1 object(s) allocated from: #0 0x7f3605dbfd28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) #1 0x56230373dd6b in qcalloc lib/memory.c:105 #2 0x56230372180f in list_new lib/linklist.c:49 #3 0x56230361b589 in pim_if_gm_join_add pimd/pim_iface.c:1313 #4 0x562303642247 in lib_interface_gmp_address_family_static_group_create pimd/pim_nb_config.c:2868 #5 0x562303767280 in nb_callback_create lib/northbound.c:1235 #6 0x562303767280 in nb_callback_configuration lib/northbound.c:1579 #7 0x562303768a1d in nb_transaction_process lib/northbound.c:1710 #8 0x56230376904a in nb_candidate_commit_apply lib/northbound.c:1104 #9 0x5623037692ba in nb_candidate_commit lib/northbound.c:1137 #10 0x562303769dec in nb_cli_classic_commit lib/northbound_cli.c:49 #11 0x56230376fb79 in nb_cli_pending_commit_check lib/northbound_cli.c:88 #12 0x5623036c5bcb in cmd_execute_command_real lib/command.c:991 #13 0x5623036c5f1b in cmd_execute_command lib/command.c:1053 #14 0x5623036c6392 in cmd_execute lib/command.c:1221 #15 0x5623037e75da in vty_command lib/vty.c:591 #16 0x5623037e7a74 in vty_execute lib/vty.c:1354 #17 0x5623037f0253 in vtysh_read lib/vty.c:2362 #18 0x5623037db4e8 in event_call lib/event.c:1995 #19 0x562303720f97 in frr_run lib/libfrr.c:1213 #20 0x56230368615d in main pimd/pim6_main.c:184 #21 0x7f360461bc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Indirect leak of 192 byte(s) in 4 object(s) allocated from: #0 0x7f3605dbfd28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) #1 0x56230373dd6b in qcalloc lib/memory.c:105 #2 0x56230361b91d in gm_join_new pimd/pim_iface.c:1288 #3 0x56230361b91d in pim_if_gm_join_add pimd/pim_iface.c:1326 #4 0x562303642247 in lib_interface_gmp_address_family_static_group_create pimd/pim_nb_config.c:2868 #5 0x562303767280 in nb_callback_create lib/northbound.c:1235 #6 0x562303767280 in nb_callback_configuration lib/northbound.c:1579 #7 0x562303768a1d in nb_transaction_process lib/northbound.c:1710 #8 0x56230376904a in nb_candidate_commit_apply lib/northbound.c:1104 #9 0x5623037692ba in nb_candidate_commit lib/northbound.c:1137 #10 0x562303769dec in nb_cli_classic_commit lib/northbound_cli.c:49 #11 0x56230376fb79 in nb_cli_pending_commit_check lib/northbound_cli.c:88 #12 0x5623036c5bcb in cmd_execute_command_real lib/command.c:991 #13 0x5623036c5f1b in cmd_execute_command lib/command.c:1053 #14 0x5623036c6392 in cmd_execute lib/command.c:1221 #15 0x5623037e75da in vty_command lib/vty.c:591 #16 0x5623037e7a74 in vty_execute lib/vty.c:1354 #17 0x5623037f0253 in vtysh_read lib/vty.c:2362 #18 0x5623037db4e8 in event_call lib/event.c:1995 #19 0x562303720f97 in frr_run lib/libfrr.c:1213 #20 0x56230368615d in main pimd/pim6_main.c:184 #21 0x7f360461bc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Indirect leak of 96 byte(s) in 4 object(s) allocated from: #0 0x7f3605dbfd28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) #1 0x56230373dd6b in qcalloc lib/memory.c:105 #2 0x562303721651 in listnode_new lib/linklist.c:71 #3 0x56230372182b in listnode_add lib/linklist.c:92 #4 0x56230361ba9a in gm_join_new pimd/pim_iface.c:1295 #5 0x56230361ba9a in pim_if_gm_join_add pimd/pim_iface.c:1326 #6 0x562303642247 in lib_interface_gmp_address_family_static_group_create pimd/pim_nb_config.c:2868 #7 0x562303767280 in nb_callback_create lib/northbound.c:1235 #8 0x562303767280 in nb_callback_configuration lib/northbound.c:1579 #9 0x562303768a1d in nb_transaction_process lib/northbound.c:1710 #10 0x56230376904a in nb_candidate_commit_apply lib/northbound.c:1104 #11 0x5623037692ba in nb_candidate_commit lib/northbound.c:1137 #12 0x562303769dec in nb_cli_classic_commit lib/northbound_cli.c:49 #13 0x56230376fb79 in nb_cli_pending_commit_check lib/northbound_cli.c:88 #14 0x5623036c5bcb in cmd_execute_command_real lib/command.c:991 #15 0x5623036c5f1b in cmd_execute_command lib/command.c:1053 #16 0x5623036c6392 in cmd_execute lib/command.c:1221 #17 0x5623037e75da in vty_command lib/vty.c:591 #18 0x5623037e7a74 in vty_execute lib/vty.c:1354 #19 0x5623037f0253 in vtysh_read lib/vty.c:2362 #20 0x5623037db4e8 in event_call lib/event.c:1995 #21 0x562303720f97 in frr_run lib/libfrr.c:1213 #22 0x56230368615d in main pimd/pim6_main.c:184 #23 0x7f360461bc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Indirect leak of 48 byte(s) in 1 object(s) allocated from: #0 0x7f3605dbfd28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) #1 0x56230373dd6b in qcalloc lib/memory.c:105 #2 0x56230361b91d in gm_join_new pimd/pim_iface.c:1288 #3 0x56230361b91d in pim_if_gm_join_add pimd/pim_iface.c:1326 #4 0x562303642247 in lib_interface_gmp_address_family_static_group_create pimd/pim_nb_config.c:2868 #5 0x562303767280 in nb_callback_create lib/northbound.c:1235 #6 0x562303767280 in nb_callback_configuration lib/northbound.c:1579 #7 0x562303768a1d in nb_transaction_process lib/northbound.c:1710 #8 0x56230376904a in nb_candidate_commit_apply lib/northbound.c:1104 #9 0x5623037692ba in nb_candidate_commit lib/northbound.c:1137 #10 0x562303769dec in nb_cli_classic_commit lib/northbound_cli.c:49 #11 0x56230376fb79 in nb_cli_pending_commit_check lib/northbound_cli.c:88 #12 0x5623036c5bcb in cmd_execute_command_real lib/command.c:991 #13 0x5623036c5f6f in cmd_execute_command lib/command.c:1072 #14 0x5623036c6392 in cmd_execute lib/command.c:1221 #15 0x5623037e75da in vty_command lib/vty.c:591 #16 0x5623037e7a74 in vty_execute lib/vty.c:1354 #17 0x5623037f0253 in vtysh_read lib/vty.c:2362 #18 0x5623037db4e8 in event_call lib/event.c:1995 #19 0x562303720f97 in frr_run lib/libfrr.c:1213 #20 0x56230368615d in main pimd/pim6_main.c:184 #21 0x7f360461bc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Indirect leak of 24 byte(s) in 1 object(s) allocated from: #0 0x7f3605dbfd28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) #1 0x56230373dd6b in qcalloc lib/memory.c:105 #2 0x562303721651 in listnode_new lib/linklist.c:71 #3 0x56230372182b in listnode_add lib/linklist.c:92 #4 0x56230361ba9a in gm_join_new pimd/pim_iface.c:1295 #5 0x56230361ba9a in pim_if_gm_join_add pimd/pim_iface.c:1326 #6 0x562303642247 in lib_interface_gmp_address_family_static_group_create pimd/pim_nb_config.c:2868 #7 0x562303767280 in nb_callback_create lib/northbound.c:1235 #8 0x562303767280 in nb_callback_configuration lib/northbound.c:1579 #9 0x562303768a1d in nb_transaction_process lib/northbound.c:1710 #10 0x56230376904a in nb_candidate_commit_apply lib/northbound.c:1104 #11 0x5623037692ba in nb_candidate_commit lib/northbound.c:1137 #12 0x562303769dec in nb_cli_classic_commit lib/northbound_cli.c:49 #13 0x56230376fb79 in nb_cli_pending_commit_check lib/northbound_cli.c:88 #14 0x5623036c5bcb in cmd_execute_command_real lib/command.c:991 #15 0x5623036c5f6f in cmd_execute_command lib/command.c:1072 #16 0x5623036c6392 in cmd_execute lib/command.c:1221 #17 0x5623037e75da in vty_command lib/vty.c:591 #18 0x5623037e7a74 in vty_execute lib/vty.c:1354 #19 0x5623037f0253 in vtysh_read lib/vty.c:2362 #20 0x5623037db4e8 in event_call lib/event.c:1995 #21 0x562303720f97 in frr_run lib/libfrr.c:1213 #22 0x56230368615d in main pimd/pim6_main.c:184 #23 0x7f360461bc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) SUMMARY: AddressSanitizer: 400 byte(s) leaked in 11 allocation(s). *********************************************************************************** ``` Signed-off-by: Keelan Cannoo <keelan.cannoo@icloud.com> (cherry picked from commit 24379f0) # Conflicts: # pimd/pim_iface.c

The loading_done event needs a event pointer to prevent use after free's. Testing found this: ERROR: AddressSanitizer: heap-use-after-free on address 0x613000035130 at pc 0x55ad42d54e5f bp 0x7ffff1e942a0 sp 0x7ffff1e94290 READ of size 1 at 0x613000035130 thread T0 #0 0x55ad42d54e5e in loading_done ospf6d/ospf6_neighbor.c:447 #1 0x55ad42ed7be4 in event_call lib/event.c:1995 #2 0x55ad42e1df75 in frr_run lib/libfrr.c:1213 #3 0x55ad42cf332e in main ospf6d/ospf6_main.c:250 #4 0x7f5798133c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) #5 0x55ad42cf2b19 in _start (/usr/lib/frr/ospf6d+0x248b19) 0x613000035130 is located 48 bytes inside of 384-byte region [0x613000035100,0x613000035280) freed by thread T0 here: #0 0x7f57998d77a8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7a8) #1 0x55ad42e3b4b6 in qfree lib/memory.c:130 #2 0x55ad42d5d049 in ospf6_neighbor_delete ospf6d/ospf6_neighbor.c:180 #3 0x55ad42d1e1ea in interface_down ospf6d/ospf6_interface.c:930 #4 0x55ad42ed7be4 in event_call lib/event.c:1995 #5 0x55ad42ed84fe in _event_execute lib/event.c:2086 #6 0x55ad42d26d7b in ospf6_interface_clear ospf6d/ospf6_interface.c:2847 #7 0x55ad42d73f16 in ospf6_process_reset ospf6d/ospf6_top.c:755 #8 0x55ad42d7e98c in clear_router_ospf6_magic ospf6d/ospf6_top.c:778 #9 0x55ad42d7e98c in clear_router_ospf6 ospf6d/ospf6_top_clippy.c:42 #10 0x55ad42dc2665 in cmd_execute_command_real lib/command.c:994 #11 0x55ad42dc2b32 in cmd_execute_command lib/command.c:1053 #12 0x55ad42dc2fa9 in cmd_execute lib/command.c:1221 #13 0x55ad42ee3cd6 in vty_command lib/vty.c:591 #14 0x55ad42ee4170 in vty_execute lib/vty.c:1354 #15 0x55ad42eec94f in vtysh_read lib/vty.c:2362 #16 0x55ad42ed7be4 in event_call lib/event.c:1995 #17 0x55ad42e1df75 in frr_run lib/libfrr.c:1213 #18 0x55ad42cf332e in main ospf6d/ospf6_main.c:250 #19 0x7f5798133c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) previously allocated by thread T0 here: #0 0x7f57998d7d28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) #1 0x55ad42e3ab22 in qcalloc lib/memory.c:105 #2 0x55ad42d5c8ff in ospf6_neighbor_create ospf6d/ospf6_neighbor.c:119 #3 0x55ad42d4c86a in ospf6_hello_recv ospf6d/ospf6_message.c:464 #4 0x55ad42d4c86a in ospf6_read_helper ospf6d/ospf6_message.c:1884 #5 0x55ad42d4c86a in ospf6_receive ospf6d/ospf6_message.c:1925 #6 0x55ad42ed7be4 in event_call lib/event.c:1995 #7 0x55ad42e1df75 in frr_run lib/libfrr.c:1213 #8 0x55ad42cf332e in main ospf6d/ospf6_main.c:250 #9 0x7f5798133c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Add an actual event pointer and just track it appropriately. Signed-off-by: Donald Sharp <sharpd@nvidia.com>

The loading_done event needs a event pointer to prevent use after free's. Testing found this: ERROR: AddressSanitizer: heap-use-after-free on address 0x613000035130 at pc 0x55ad42d54e5f bp 0x7ffff1e942a0 sp 0x7ffff1e94290 READ of size 1 at 0x613000035130 thread T0 #0 0x55ad42d54e5e in loading_done ospf6d/ospf6_neighbor.c:447 #1 0x55ad42ed7be4 in event_call lib/event.c:1995 #2 0x55ad42e1df75 in frr_run lib/libfrr.c:1213 #3 0x55ad42cf332e in main ospf6d/ospf6_main.c:250 #4 0x7f5798133c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) #5 0x55ad42cf2b19 in _start (/usr/lib/frr/ospf6d+0x248b19) 0x613000035130 is located 48 bytes inside of 384-byte region [0x613000035100,0x613000035280) freed by thread T0 here: #0 0x7f57998d77a8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7a8) #1 0x55ad42e3b4b6 in qfree lib/memory.c:130 #2 0x55ad42d5d049 in ospf6_neighbor_delete ospf6d/ospf6_neighbor.c:180 #3 0x55ad42d1e1ea in interface_down ospf6d/ospf6_interface.c:930 #4 0x55ad42ed7be4 in event_call lib/event.c:1995 #5 0x55ad42ed84fe in _event_execute lib/event.c:2086 #6 0x55ad42d26d7b in ospf6_interface_clear ospf6d/ospf6_interface.c:2847 #7 0x55ad42d73f16 in ospf6_process_reset ospf6d/ospf6_top.c:755 #8 0x55ad42d7e98c in clear_router_ospf6_magic ospf6d/ospf6_top.c:778 #9 0x55ad42d7e98c in clear_router_ospf6 ospf6d/ospf6_top_clippy.c:42 #10 0x55ad42dc2665 in cmd_execute_command_real lib/command.c:994 #11 0x55ad42dc2b32 in cmd_execute_command lib/command.c:1053 #12 0x55ad42dc2fa9 in cmd_execute lib/command.c:1221 #13 0x55ad42ee3cd6 in vty_command lib/vty.c:591 #14 0x55ad42ee4170 in vty_execute lib/vty.c:1354 #15 0x55ad42eec94f in vtysh_read lib/vty.c:2362 #16 0x55ad42ed7be4 in event_call lib/event.c:1995 #17 0x55ad42e1df75 in frr_run lib/libfrr.c:1213 #18 0x55ad42cf332e in main ospf6d/ospf6_main.c:250 #19 0x7f5798133c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) previously allocated by thread T0 here: #0 0x7f57998d7d28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) #1 0x55ad42e3ab22 in qcalloc lib/memory.c:105 #2 0x55ad42d5c8ff in ospf6_neighbor_create ospf6d/ospf6_neighbor.c:119 #3 0x55ad42d4c86a in ospf6_hello_recv ospf6d/ospf6_message.c:464 #4 0x55ad42d4c86a in ospf6_read_helper ospf6d/ospf6_message.c:1884 #5 0x55ad42d4c86a in ospf6_receive ospf6d/ospf6_message.c:1925 #6 0x55ad42ed7be4 in event_call lib/event.c:1995 #7 0x55ad42e1df75 in frr_run lib/libfrr.c:1213 #8 0x55ad42cf332e in main ospf6d/ospf6_main.c:250 #9 0x7f5798133c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Add an actual event pointer and just track it appropriately. Signed-off-by: Donald Sharp <sharpd@nvidia.com> (cherry picked from commit 77e838e)

The loading_done event needs a event pointer to prevent use after free's. Testing found this: ERROR: AddressSanitizer: heap-use-after-free on address 0x613000035130 at pc 0x55ad42d54e5f bp 0x7ffff1e942a0 sp 0x7ffff1e94290 READ of size 1 at 0x613000035130 thread T0 #0 0x55ad42d54e5e in loading_done ospf6d/ospf6_neighbor.c:447 #1 0x55ad42ed7be4 in event_call lib/event.c:1995 #2 0x55ad42e1df75 in frr_run lib/libfrr.c:1213 #3 0x55ad42cf332e in main ospf6d/ospf6_main.c:250 #4 0x7f5798133c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) #5 0x55ad42cf2b19 in _start (/usr/lib/frr/ospf6d+0x248b19) 0x613000035130 is located 48 bytes inside of 384-byte region [0x613000035100,0x613000035280) freed by thread T0 here: #0 0x7f57998d77a8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7a8) #1 0x55ad42e3b4b6 in qfree lib/memory.c:130 #2 0x55ad42d5d049 in ospf6_neighbor_delete ospf6d/ospf6_neighbor.c:180 #3 0x55ad42d1e1ea in interface_down ospf6d/ospf6_interface.c:930 #4 0x55ad42ed7be4 in event_call lib/event.c:1995 #5 0x55ad42ed84fe in _event_execute lib/event.c:2086 #6 0x55ad42d26d7b in ospf6_interface_clear ospf6d/ospf6_interface.c:2847 #7 0x55ad42d73f16 in ospf6_process_reset ospf6d/ospf6_top.c:755 #8 0x55ad42d7e98c in clear_router_ospf6_magic ospf6d/ospf6_top.c:778 #9 0x55ad42d7e98c in clear_router_ospf6 ospf6d/ospf6_top_clippy.c:42 #10 0x55ad42dc2665 in cmd_execute_command_real lib/command.c:994 #11 0x55ad42dc2b32 in cmd_execute_command lib/command.c:1053 #12 0x55ad42dc2fa9 in cmd_execute lib/command.c:1221 #13 0x55ad42ee3cd6 in vty_command lib/vty.c:591 #14 0x55ad42ee4170 in vty_execute lib/vty.c:1354 #15 0x55ad42eec94f in vtysh_read lib/vty.c:2362 #16 0x55ad42ed7be4 in event_call lib/event.c:1995 #17 0x55ad42e1df75 in frr_run lib/libfrr.c:1213 #18 0x55ad42cf332e in main ospf6d/ospf6_main.c:250 #19 0x7f5798133c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) previously allocated by thread T0 here: #0 0x7f57998d7d28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) #1 0x55ad42e3ab22 in qcalloc lib/memory.c:105 #2 0x55ad42d5c8ff in ospf6_neighbor_create ospf6d/ospf6_neighbor.c:119 #3 0x55ad42d4c86a in ospf6_hello_recv ospf6d/ospf6_message.c:464 #4 0x55ad42d4c86a in ospf6_read_helper ospf6d/ospf6_message.c:1884 #5 0x55ad42d4c86a in ospf6_receive ospf6d/ospf6_message.c:1925 #6 0x55ad42ed7be4 in event_call lib/event.c:1995 #7 0x55ad42e1df75 in frr_run lib/libfrr.c:1213 #8 0x55ad42cf332e in main ospf6d/ospf6_main.c:250 #9 0x7f5798133c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Add an actual event pointer and just track it appropriately. Signed-off-by: Donald Sharp <sharpd@nvidia.com> (cherry picked from commit 77e838e) # Conflicts: # ospf6d/ospf6_message.c # ospf6d/ospf6_neighbor.c # ospf6d/ospf6_neighbor.h

The loading_done event needs a event pointer to prevent use after free's. Testing found this: ERROR: AddressSanitizer: heap-use-after-free on address 0x613000035130 at pc 0x55ad42d54e5f bp 0x7ffff1e942a0 sp 0x7ffff1e94290 READ of size 1 at 0x613000035130 thread T0 #0 0x55ad42d54e5e in loading_done ospf6d/ospf6_neighbor.c:447 #1 0x55ad42ed7be4 in event_call lib/event.c:1995 #2 0x55ad42e1df75 in frr_run lib/libfrr.c:1213 #3 0x55ad42cf332e in main ospf6d/ospf6_main.c:250 #4 0x7f5798133c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) #5 0x55ad42cf2b19 in _start (/usr/lib/frr/ospf6d+0x248b19) 0x613000035130 is located 48 bytes inside of 384-byte region [0x613000035100,0x613000035280) freed by thread T0 here: #0 0x7f57998d77a8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7a8) #1 0x55ad42e3b4b6 in qfree lib/memory.c:130 #2 0x55ad42d5d049 in ospf6_neighbor_delete ospf6d/ospf6_neighbor.c:180 #3 0x55ad42d1e1ea in interface_down ospf6d/ospf6_interface.c:930 #4 0x55ad42ed7be4 in event_call lib/event.c:1995 #5 0x55ad42ed84fe in _event_execute lib/event.c:2086 #6 0x55ad42d26d7b in ospf6_interface_clear ospf6d/ospf6_interface.c:2847 #7 0x55ad42d73f16 in ospf6_process_reset ospf6d/ospf6_top.c:755 #8 0x55ad42d7e98c in clear_router_ospf6_magic ospf6d/ospf6_top.c:778 #9 0x55ad42d7e98c in clear_router_ospf6 ospf6d/ospf6_top_clippy.c:42 #10 0x55ad42dc2665 in cmd_execute_command_real lib/command.c:994 #11 0x55ad42dc2b32 in cmd_execute_command lib/command.c:1053 #12 0x55ad42dc2fa9 in cmd_execute lib/command.c:1221 #13 0x55ad42ee3cd6 in vty_command lib/vty.c:591 #14 0x55ad42ee4170 in vty_execute lib/vty.c:1354 #15 0x55ad42eec94f in vtysh_read lib/vty.c:2362 #16 0x55ad42ed7be4 in event_call lib/event.c:1995 #17 0x55ad42e1df75 in frr_run lib/libfrr.c:1213 #18 0x55ad42cf332e in main ospf6d/ospf6_main.c:250 #19 0x7f5798133c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) previously allocated by thread T0 here: #0 0x7f57998d7d28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) #1 0x55ad42e3ab22 in qcalloc lib/memory.c:105 #2 0x55ad42d5c8ff in ospf6_neighbor_create ospf6d/ospf6_neighbor.c:119 #3 0x55ad42d4c86a in ospf6_hello_recv ospf6d/ospf6_message.c:464 #4 0x55ad42d4c86a in ospf6_read_helper ospf6d/ospf6_message.c:1884 #5 0x55ad42d4c86a in ospf6_receive ospf6d/ospf6_message.c:1925 #6 0x55ad42ed7be4 in event_call lib/event.c:1995 #7 0x55ad42e1df75 in frr_run lib/libfrr.c:1213 #8 0x55ad42cf332e in main ospf6d/ospf6_main.c:250 #9 0x7f5798133c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Add an actual event pointer and just track it appropriately. Signed-off-by: Donald Sharp <sharpd@nvidia.com> Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>

The loading_done event needs a event pointer to prevent use after free's. Testing found this: ERROR: AddressSanitizer: heap-use-after-free on address 0x613000035130 at pc 0x55ad42d54e5f bp 0x7ffff1e942a0 sp 0x7ffff1e94290 READ of size 1 at 0x613000035130 thread T0 #0 0x55ad42d54e5e in loading_done ospf6d/ospf6_neighbor.c:447 #1 0x55ad42ed7be4 in event_call lib/event.c:1995 #2 0x55ad42e1df75 in frr_run lib/libfrr.c:1213 #3 0x55ad42cf332e in main ospf6d/ospf6_main.c:250 #4 0x7f5798133c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) #5 0x55ad42cf2b19 in _start (/usr/lib/frr/ospf6d+0x248b19) 0x613000035130 is located 48 bytes inside of 384-byte region [0x613000035100,0x613000035280) freed by thread T0 here: #0 0x7f57998d77a8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7a8) #1 0x55ad42e3b4b6 in qfree lib/memory.c:130 #2 0x55ad42d5d049 in ospf6_neighbor_delete ospf6d/ospf6_neighbor.c:180 #3 0x55ad42d1e1ea in interface_down ospf6d/ospf6_interface.c:930 #4 0x55ad42ed7be4 in event_call lib/event.c:1995 #5 0x55ad42ed84fe in _event_execute lib/event.c:2086 #6 0x55ad42d26d7b in ospf6_interface_clear ospf6d/ospf6_interface.c:2847 #7 0x55ad42d73f16 in ospf6_process_reset ospf6d/ospf6_top.c:755 #8 0x55ad42d7e98c in clear_router_ospf6_magic ospf6d/ospf6_top.c:778 #9 0x55ad42d7e98c in clear_router_ospf6 ospf6d/ospf6_top_clippy.c:42 #10 0x55ad42dc2665 in cmd_execute_command_real lib/command.c:994 #11 0x55ad42dc2b32 in cmd_execute_command lib/command.c:1053 #12 0x55ad42dc2fa9 in cmd_execute lib/command.c:1221 #13 0x55ad42ee3cd6 in vty_command lib/vty.c:591 #14 0x55ad42ee4170 in vty_execute lib/vty.c:1354 #15 0x55ad42eec94f in vtysh_read lib/vty.c:2362 #16 0x55ad42ed7be4 in event_call lib/event.c:1995 #17 0x55ad42e1df75 in frr_run lib/libfrr.c:1213 #18 0x55ad42cf332e in main ospf6d/ospf6_main.c:250 #19 0x7f5798133c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) previously allocated by thread T0 here: #0 0x7f57998d7d28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) #1 0x55ad42e3ab22 in qcalloc lib/memory.c:105 #2 0x55ad42d5c8ff in ospf6_neighbor_create ospf6d/ospf6_neighbor.c:119 #3 0x55ad42d4c86a in ospf6_hello_recv ospf6d/ospf6_message.c:464 #4 0x55ad42d4c86a in ospf6_read_helper ospf6d/ospf6_message.c:1884 #5 0x55ad42d4c86a in ospf6_receive ospf6d/ospf6_message.c:1925 #6 0x55ad42ed7be4 in event_call lib/event.c:1995 #7 0x55ad42e1df75 in frr_run lib/libfrr.c:1213 #8 0x55ad42cf332e in main ospf6d/ospf6_main.c:250 #9 0x7f5798133c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Add an actual event pointer and just track it appropriately. Signed-off-by: Donald Sharp <sharpd@nvidia.com>

The function aspath_remove_private_asns was using an aspath to perform some operation and didnt free it after usage leading to the leak below. *********************************************************************************** Address Sanitizer Error detected in bgp_remove_private_as_route_map.test_bgp_remove_private_as_route_map/r2.asan.bgpd.27074 ================================================================= ==27074==ERROR: LeakSanitizer: detected memory leaks Direct leak of 80 byte(s) in 2 object(s) allocated from: #0 0x7fd0a4b95d28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) FRRouting#1 0x7fd0a45932ff in qcalloc lib/memory.c:105 FRRouting#2 0x562b630b44cc in aspath_dup bgpd/bgp_aspath.c:689 FRRouting#3 0x562b62f48498 in route_set_aspath_prepend bgpd/bgp_routemap.c:2283 FRRouting#4 0x7fd0a45ec39a in route_map_apply_ext lib/routemap.c:2690 FRRouting#5 0x562b62efbb1f in subgroup_announce_check bgpd/bgp_route.c:2434 FRRouting#6 0x562b62efd4e2 in subgroup_process_announce_selected bgpd/bgp_route.c:2990 FRRouting#7 0x562b62f6a829 in subgroup_announce_table bgpd/bgp_updgrp_adv.c:765 FRRouting#8 0x562b62f6acbb in subgroup_announce_route bgpd/bgp_updgrp_adv.c:818 FRRouting#9 0x562b62f6ae90 in subgroup_coalesce_timer bgpd/bgp_updgrp_adv.c:368 FRRouting#10 0x7fd0a463322a in event_call lib/event.c:1970 FRRouting#11 0x7fd0a4576566 in frr_run lib/libfrr.c:1214 FRRouting#12 0x562b62dbd8f1 in main bgpd/bgp_main.c:510 FRRouting#13 0x7fd0a35b8c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Direct leak of 80 byte(s) in 2 object(s) allocated from: #0 0x7fd0a4b95d28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) FRRouting#1 0x7fd0a45932ff in qcalloc lib/memory.c:105 FRRouting#2 0x562b630b44cc in aspath_dup bgpd/bgp_aspath.c:689 FRRouting#3 0x562b62f48498 in route_set_aspath_prepend bgpd/bgp_routemap.c:2283 FRRouting#4 0x7fd0a45ec39a in route_map_apply_ext lib/routemap.c:2690 FRRouting#5 0x562b62efbb1f in subgroup_announce_check bgpd/bgp_route.c:2434 FRRouting#6 0x562b62efd4e2 in subgroup_process_announce_selected bgpd/bgp_route.c:2990 FRRouting#7 0x562b62f6a829 in subgroup_announce_table bgpd/bgp_updgrp_adv.c:765 FRRouting#8 0x562b62f6acbb in subgroup_announce_route bgpd/bgp_updgrp_adv.c:818 FRRouting#9 0x562b62f5b844 in updgrp_policy_update_walkcb bgpd/bgp_updgrp.c:1685 FRRouting#10 0x562b62f59442 in update_group_walkcb bgpd/bgp_updgrp.c:1721 FRRouting#11 0x7fd0a455a7aa in hash_walk lib/hash.c:270 FRRouting#12 0x562b62f64a48 in update_group_af_walk bgpd/bgp_updgrp.c:2062 FRRouting#13 0x562b62f6508c in update_group_walk bgpd/bgp_updgrp.c:2071 FRRouting#14 0x562b62f6520c in update_group_policy_update bgpd/bgp_updgrp.c:1769 FRRouting#15 0x562b62f4c2be in bgp_route_map_process_update bgpd/bgp_routemap.c:4501 FRRouting#16 0x562b62f4d81a in bgp_route_map_process_update_cb bgpd/bgp_routemap.c:4683 FRRouting#17 0x7fd0a45ed7e8 in route_map_walk_update_list lib/routemap.c:870 FRRouting#18 0x562b62f337a2 in bgp_route_map_update_timer bgpd/bgp_routemap.c:4695 FRRouting#19 0x7fd0a463322a in event_call lib/event.c:1970 FRRouting#20 0x7fd0a4576566 in frr_run lib/libfrr.c:1214 FRRouting#21 0x562b62dbd8f1 in main bgpd/bgp_main.c:510 FRRouting#22 0x7fd0a35b8c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Indirect leak of 64 byte(s) in 2 object(s) allocated from: #0 0x7fd0a4b95b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40) FRRouting#1 0x7fd0a459301f in qmalloc lib/memory.c:100 FRRouting#2 0x562b630b313f in aspath_make_str_count bgpd/bgp_aspath.c:551 FRRouting#3 0x562b630b3ecf in aspath_str_update bgpd/bgp_aspath.c:659 FRRouting#4 0x562b630b88b7 in aspath_prepend bgpd/bgp_aspath.c:1484 FRRouting#5 0x562b62f484a8 in route_set_aspath_prepend bgpd/bgp_routemap.c:2289 FRRouting#6 0x7fd0a45ec39a in route_map_apply_ext lib/routemap.c:2690 FRRouting#7 0x562b62efbb1f in subgroup_announce_check bgpd/bgp_route.c:2434 FRRouting#8 0x562b62efd4e2 in subgroup_process_announce_selected bgpd/bgp_route.c:2990 FRRouting#9 0x562b62f6a829 in subgroup_announce_table bgpd/bgp_updgrp_adv.c:765 FRRouting#10 0x562b62f6acbb in subgroup_announce_route bgpd/bgp_updgrp_adv.c:818 FRRouting#11 0x562b62f6ae90 in subgroup_coalesce_timer bgpd/bgp_updgrp_adv.c:368 FRRouting#12 0x7fd0a463322a in event_call lib/event.c:1970 FRRouting#13 0x7fd0a4576566 in frr_run lib/libfrr.c:1214 FRRouting#14 0x562b62dbd8f1 in main bgpd/bgp_main.c:510 FRRouting#15 0x7fd0a35b8c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Indirect leak of 64 byte(s) in 2 object(s) allocated from: #0 0x7fd0a4b95b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40) FRRouting#1 0x7fd0a459301f in qmalloc lib/memory.c:100 FRRouting#2 0x562b630b313f in aspath_make_str_count bgpd/bgp_aspath.c:551 FRRouting#3 0x562b630b3ecf in aspath_str_update bgpd/bgp_aspath.c:659 FRRouting#4 0x562b630b88b7 in aspath_prepend bgpd/bgp_aspath.c:1484 FRRouting#5 0x562b62f484a8 in route_set_aspath_prepend bgpd/bgp_routemap.c:2289 FRRouting#6 0x7fd0a45ec39a in route_map_apply_ext lib/routemap.c:2690 FRRouting#7 0x562b62efbb1f in subgroup_announce_check bgpd/bgp_route.c:2434 FRRouting#8 0x562b62efd4e2 in subgroup_process_announce_selected bgpd/bgp_route.c:2990 FRRouting#9 0x562b62f6a829 in subgroup_announce_table bgpd/bgp_updgrp_adv.c:765 FRRouting#10 0x562b62f6acbb in subgroup_announce_route bgpd/bgp_updgrp_adv.c:818 FRRouting#11 0x562b62f5b844 in updgrp_policy_update_walkcb bgpd/bgp_updgrp.c:1685 FRRouting#12 0x562b62f59442 in update_group_walkcb bgpd/bgp_updgrp.c:1721 FRRouting#13 0x7fd0a455a7aa in hash_walk lib/hash.c:270 FRRouting#14 0x562b62f64a48 in update_group_af_walk bgpd/bgp_updgrp.c:2062 FRRouting#15 0x562b62f6508c in update_group_walk bgpd/bgp_updgrp.c:2071 FRRouting#16 0x562b62f6520c in update_group_policy_update bgpd/bgp_updgrp.c:1769 FRRouting#17 0x562b62f4c2be in bgp_route_map_process_update bgpd/bgp_routemap.c:4501 FRRouting#18 0x562b62f4d81a in bgp_route_map_process_update_cb bgpd/bgp_routemap.c:4683 FRRouting#19 0x7fd0a45ed7e8 in route_map_walk_update_list lib/routemap.c:870 FRRouting#20 0x562b62f337a2 in bgp_route_map_update_timer bgpd/bgp_routemap.c:4695 FRRouting#21 0x7fd0a463322a in event_call lib/event.c:1970 FRRouting#22 0x7fd0a4576566 in frr_run lib/libfrr.c:1214 FRRouting#23 0x562b62dbd8f1 in main bgpd/bgp_main.c:510 FRRouting#24 0x7fd0a35b8c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Indirect leak of 48 byte(s) in 2 object(s) allocated from: #0 0x7fd0a4b95d28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) FRRouting#1 0x7fd0a45932ff in qcalloc lib/memory.c:105 FRRouting#2 0x562b630b280d in assegment_new bgpd/bgp_aspath.c:105 FRRouting#3 0x562b630b28f7 in assegment_dup bgpd/bgp_aspath.c:145 FRRouting#4 0x562b630b29e8 in assegment_dup_all bgpd/bgp_aspath.c:162 FRRouting#5 0x562b630b8895 in aspath_prepend bgpd/bgp_aspath.c:1483 FRRouting#6 0x562b62f484a8 in route_set_aspath_prepend bgpd/bgp_routemap.c:2289 FRRouting#7 0x7fd0a45ec39a in route_map_apply_ext lib/routemap.c:2690 FRRouting#8 0x562b62efbb1f in subgroup_announce_check bgpd/bgp_route.c:2434 FRRouting#9 0x562b62efd4e2 in subgroup_process_announce_selected bgpd/bgp_route.c:2990 FRRouting#10 0x562b62f6a829 in subgroup_announce_table bgpd/bgp_updgrp_adv.c:765 FRRouting#11 0x562b62f6acbb in subgroup_announce_route bgpd/bgp_updgrp_adv.c:818 FRRouting#12 0x562b62f5b844 in updgrp_policy_update_walkcb bgpd/bgp_updgrp.c:1685 FRRouting#13 0x562b62f59442 in update_group_walkcb bgpd/bgp_updgrp.c:1721 FRRouting#14 0x7fd0a455a7aa in hash_walk lib/hash.c:270 FRRouting#15 0x562b62f64a48 in update_group_af_walk bgpd/bgp_updgrp.c:2062 FRRouting#16 0x562b62f6508c in update_group_walk bgpd/bgp_updgrp.c:2071 FRRouting#17 0x562b62f6520c in update_group_policy_update bgpd/bgp_updgrp.c:1769 FRRouting#18 0x562b62f4c2be in bgp_route_map_process_update bgpd/bgp_routemap.c:4501 FRRouting#19 0x562b62f4d81a in bgp_route_map_process_update_cb bgpd/bgp_routemap.c:4683 FRRouting#20 0x7fd0a45ed7e8 in route_map_walk_update_list lib/routemap.c:870 FRRouting#21 0x562b62f337a2 in bgp_route_map_update_timer bgpd/bgp_routemap.c:4695 FRRouting#22 0x7fd0a463322a in event_call lib/event.c:1970 FRRouting#23 0x7fd0a4576566 in frr_run lib/libfrr.c:1214 FRRouting#24 0x562b62dbd8f1 in main bgpd/bgp_main.c:510 FRRouting#25 0x7fd0a35b8c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Indirect leak of 48 byte(s) in 2 object(s) allocated from: #0 0x7fd0a4b95d28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) FRRouting#1 0x7fd0a45932ff in qcalloc lib/memory.c:105 FRRouting#2 0x562b630b280d in assegment_new bgpd/bgp_aspath.c:105 FRRouting#3 0x562b630b28f7 in assegment_dup bgpd/bgp_aspath.c:145 FRRouting#4 0x562b630b29e8 in assegment_dup_all bgpd/bgp_aspath.c:162 FRRouting#5 0x562b630b8895 in aspath_prepend bgpd/bgp_aspath.c:1483 FRRouting#6 0x562b62f484a8 in route_set_aspath_prepend bgpd/bgp_routemap.c:2289 FRRouting#7 0x7fd0a45ec39a in route_map_apply_ext lib/routemap.c:2690 FRRouting#8 0x562b62efbb1f in subgroup_announce_check bgpd/bgp_route.c:2434 FRRouting#9 0x562b62efd4e2 in subgroup_process_announce_selected bgpd/bgp_route.c:2990 FRRouting#10 0x562b62f6a829 in subgroup_announce_table bgpd/bgp_updgrp_adv.c:765 FRRouting#11 0x562b62f6acbb in subgroup_announce_route bgpd/bgp_updgrp_adv.c:818 FRRouting#12 0x562b62f6ae90 in subgroup_coalesce_timer bgpd/bgp_updgrp_adv.c:368 FRRouting#13 0x7fd0a463322a in event_call lib/event.c:1970 FRRouting#14 0x7fd0a4576566 in frr_run lib/libfrr.c:1214 FRRouting#15 0x562b62dbd8f1 in main bgpd/bgp_main.c:510 FRRouting#16 0x7fd0a35b8c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Indirect leak of 16 byte(s) in 2 object(s) allocated from: #0 0x7fd0a4b95b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40) FRRouting#1 0x7fd0a459301f in qmalloc lib/memory.c:100 FRRouting#2 0x562b630b2879 in assegment_data_new bgpd/bgp_aspath.c:83 FRRouting#3 0x562b630b2879 in assegment_new bgpd/bgp_aspath.c:108 FRRouting#4 0x562b630b28f7 in assegment_dup bgpd/bgp_aspath.c:145 FRRouting#5 0x562b630b29e8 in assegment_dup_all bgpd/bgp_aspath.c:162 FRRouting#6 0x562b630b8895 in aspath_prepend bgpd/bgp_aspath.c:1483 FRRouting#7 0x562b62f484a8 in route_set_aspath_prepend bgpd/bgp_routemap.c:2289 FRRouting#8 0x7fd0a45ec39a in route_map_apply_ext lib/routemap.c:2690 FRRouting#9 0x562b62efbb1f in subgroup_announce_check bgpd/bgp_route.c:2434 FRRouting#10 0x562b62efd4e2 in subgroup_process_announce_selected bgpd/bgp_route.c:2990 FRRouting#11 0x562b62f6a829 in subgroup_announce_table bgpd/bgp_updgrp_adv.c:765 FRRouting#12 0x562b62f6acbb in subgroup_announce_route bgpd/bgp_updgrp_adv.c:818 FRRouting#13 0x562b62f6ae90 in subgroup_coalesce_timer bgpd/bgp_updgrp_adv.c:368 FRRouting#14 0x7fd0a463322a in event_call lib/event.c:1970 FRRouting#15 0x7fd0a4576566 in frr_run lib/libfrr.c:1214 FRRouting#16 0x562b62dbd8f1 in main bgpd/bgp_main.c:510 FRRouting#17 0x7fd0a35b8c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Indirect leak of 16 byte(s) in 2 object(s) allocated from: #0 0x7fd0a4b95b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40) FRRouting#1 0x7fd0a459301f in qmalloc lib/memory.c:100 FRRouting#2 0x562b630b2879 in assegment_data_new bgpd/bgp_aspath.c:83 FRRouting#3 0x562b630b2879 in assegment_new bgpd/bgp_aspath.c:108 FRRouting#4 0x562b630b28f7 in assegment_dup bgpd/bgp_aspath.c:145 FRRouting#5 0x562b630b29e8 in assegment_dup_all bgpd/bgp_aspath.c:162 FRRouting#6 0x562b630b8895 in aspath_prepend bgpd/bgp_aspath.c:1483 FRRouting#7 0x562b62f484a8 in route_set_aspath_prepend bgpd/bgp_routemap.c:2289 FRRouting#8 0x7fd0a45ec39a in route_map_apply_ext lib/routemap.c:2690 FRRouting#9 0x562b62efbb1f in subgroup_announce_check bgpd/bgp_route.c:2434 FRRouting#10 0x562b62efd4e2 in subgroup_process_announce_selected bgpd/bgp_route.c:2990 FRRouting#11 0x562b62f6a829 in subgroup_announce_table bgpd/bgp_updgrp_adv.c:765 FRRouting#12 0x562b62f6acbb in subgroup_announce_route bgpd/bgp_updgrp_adv.c:818 FRRouting#13 0x562b62f5b844 in updgrp_policy_update_walkcb bgpd/bgp_updgrp.c:1685 FRRouting#14 0x562b62f59442 in update_group_walkcb bgpd/bgp_updgrp.c:1721 FRRouting#15 0x7fd0a455a7aa in hash_walk lib/hash.c:270 FRRouting#16 0x562b62f64a48 in update_group_af_walk bgpd/bgp_updgrp.c:2062 FRRouting#17 0x562b62f6508c in update_group_walk bgpd/bgp_updgrp.c:2071 FRRouting#18 0x562b62f6520c in update_group_policy_update bgpd/bgp_updgrp.c:1769 FRRouting#19 0x562b62f4c2be in bgp_route_map_process_update bgpd/bgp_routemap.c:4501 FRRouting#20 0x562b62f4d81a in bgp_route_map_process_update_cb bgpd/bgp_routemap.c:4683 FRRouting#21 0x7fd0a45ed7e8 in route_map_walk_update_list lib/routemap.c:870 FRRouting#22 0x562b62f337a2 in bgp_route_map_update_timer bgpd/bgp_routemap.c:4695 FRRouting#23 0x7fd0a463322a in event_call lib/event.c:1970 FRRouting#24 0x7fd0a4576566 in frr_run lib/libfrr.c:1214 FRRouting#25 0x562b62dbd8f1 in main bgpd/bgp_main.c:510 FRRouting#26 0x7fd0a35b8c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) SUMMARY: AddressSanitizer: 416 byte(s) leaked in 16 allocation(s). *********************************************************************************** Signed-off-by: ryndia <dindyalsarvesh@gmail.com>

Fix the following crash when logging from rpki_create_socket(): > #0 raise (sig=<optimized out>) at ../sysdeps/unix/sysv/linux/raise.c:50 > #1 0x00007f6e21723798 in core_handler (signo=6, siginfo=0x7f6e1e502ef0, context=0x7f6e1e502dc0) at lib/sigevent.c:248 > #2 <signal handler called> > #3 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 > FRRouting#4 0x00007f6e2144e537 in __GI_abort () at abort.c:79 > FRRouting#5 0x00007f6e2176348e in _zlog_assert_failed (xref=0x7f6e2180c920 <_xref.16>, extra=0x0) at lib/zlog.c:670 > FRRouting#6 0x00007f6e216b1eda in rcu_read_lock () at lib/frrcu.c:294 > FRRouting#7 0x00007f6e21762da8 in vzlog_notls (xref=0x0, prio=2, fmt=0x7f6e217afe50 "%s:%d: %s(): assertion (%s) failed", ap=0x7f6e1e504248) at lib/zlog.c:425 > FRRouting#8 0x00007f6e217632fb in vzlogx (xref=0x0, prio=2, fmt=0x7f6e217afe50 "%s:%d: %s(): assertion (%s) failed", ap=0x7f6e1e504248) at lib/zlog.c:627 > FRRouting#9 0x00007f6e217621f5 in zlog (prio=2, fmt=0x7f6e217afe50 "%s:%d: %s(): assertion (%s) failed") at lib/zlog.h:73 > FRRouting#10 0x00007f6e21763596 in _zlog_assert_failed (xref=0x7f6e2180c920 <_xref.16>, extra=0x0) at lib/zlog.c:687 > FRRouting#11 0x00007f6e216b1eda in rcu_read_lock () at lib/frrcu.c:294 > FRRouting#12 0x00007f6e21762da8 in vzlog_notls (xref=0x7f6e21a50040 <_xref.68>, prio=4, fmt=0x7f6e21a4999f "getaddrinfo: debug", ap=0x7f6e1e504878) at lib/zlog.c:425 > FRRouting#13 0x00007f6e217632fb in vzlogx (xref=0x7f6e21a50040 <_xref.68>, prio=4, fmt=0x7f6e21a4999f "getaddrinfo: debug", ap=0x7f6e1e504878) at lib/zlog.c:627 > FRRouting#14 0x00007f6e21a3f774 in zlog_ref (xref=0x7f6e21a50040 <_xref.68>, fmt=0x7f6e21a4999f "getaddrinfo: debug") at ./lib/zlog.h:84 > FRRouting#15 0x00007f6e21a451b2 in rpki_create_socket (_cache=0x55729149cc30) at bgpd/bgp_rpki.c:1337 > FRRouting#16 0x00007f6e2120e7b7 in tr_tcp_open (tr_socket=0x5572914d1520) at rtrlib/rtrlib/transport/tcp/tcp_transport.c:111 > FRRouting#17 0x00007f6e2120e212 in tr_open (socket=0x5572914b5e00) at rtrlib/rtrlib/transport/transport.c:16 > FRRouting#18 0x00007f6e2120faa2 in rtr_fsm_start (rtr_socket=0x557290e17180) at rtrlib/rtrlib/rtr/rtr.c:130 > FRRouting#19 0x00007f6e218b7ea7 in start_thread (arg=<optimized out>) at pthread_create.c:477 > FRRouting#20 0x00007f6e21527a2f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 rpki_create_socket() is a hook function called from the rtrlib library. The issue arises because rtrlib initiates its own separate pthread in which it runs the hook, which does not establish an FRR RCU context. Consequently, this leads to failures in the logging mechanism that relies on RCU. Initialize a new FRR pthread context from the rtrlib pthread with a valid RCU context to allow logging from the rpki_create_socket() and dependent functions. Link: FRRouting#15260 Fixes: a951752 ("bgpd: create cache server socket in vrf") Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com>

The function aspath_remove_private_asns was using an aspath to perform some operation and didnt free it after usage leading to the leak below. *********************************************************************************** Address Sanitizer Error detected in bgp_remove_private_as_route_map.test_bgp_remove_private_as_route_map/r2.asan.bgpd.27074 ================================================================= ==27074==ERROR: LeakSanitizer: detected memory leaks Direct leak of 80 byte(s) in 2 object(s) allocated from: #0 0x7fd0a4b95d28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) #1 0x7fd0a45932ff in qcalloc lib/memory.c:105 FRRouting#2 0x562b630b44cc in aspath_dup bgpd/bgp_aspath.c:689 FRRouting#3 0x562b62f48498 in route_set_aspath_prepend bgpd/bgp_routemap.c:2283 FRRouting#4 0x7fd0a45ec39a in route_map_apply_ext lib/routemap.c:2690 FRRouting#5 0x562b62efbb1f in subgroup_announce_check bgpd/bgp_route.c:2434 FRRouting#6 0x562b62efd4e2 in subgroup_process_announce_selected bgpd/bgp_route.c:2990 FRRouting#7 0x562b62f6a829 in subgroup_announce_table bgpd/bgp_updgrp_adv.c:765 FRRouting#8 0x562b62f6acbb in subgroup_announce_route bgpd/bgp_updgrp_adv.c:818 FRRouting#9 0x562b62f6ae90 in subgroup_coalesce_timer bgpd/bgp_updgrp_adv.c:368 FRRouting#10 0x7fd0a463322a in event_call lib/event.c:1970 FRRouting#11 0x7fd0a4576566 in frr_run lib/libfrr.c:1214 FRRouting#12 0x562b62dbd8f1 in main bgpd/bgp_main.c:510 FRRouting#13 0x7fd0a35b8c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Direct leak of 80 byte(s) in 2 object(s) allocated from: #0 0x7fd0a4b95d28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) #1 0x7fd0a45932ff in qcalloc lib/memory.c:105 FRRouting#2 0x562b630b44cc in aspath_dup bgpd/bgp_aspath.c:689 FRRouting#3 0x562b62f48498 in route_set_aspath_prepend bgpd/bgp_routemap.c:2283 FRRouting#4 0x7fd0a45ec39a in route_map_apply_ext lib/routemap.c:2690 FRRouting#5 0x562b62efbb1f in subgroup_announce_check bgpd/bgp_route.c:2434 FRRouting#6 0x562b62efd4e2 in subgroup_process_announce_selected bgpd/bgp_route.c:2990 FRRouting#7 0x562b62f6a829 in subgroup_announce_table bgpd/bgp_updgrp_adv.c:765 FRRouting#8 0x562b62f6acbb in subgroup_announce_route bgpd/bgp_updgrp_adv.c:818 FRRouting#9 0x562b62f5b844 in updgrp_policy_update_walkcb bgpd/bgp_updgrp.c:1685 FRRouting#10 0x562b62f59442 in update_group_walkcb bgpd/bgp_updgrp.c:1721 FRRouting#11 0x7fd0a455a7aa in hash_walk lib/hash.c:270 FRRouting#12 0x562b62f64a48 in update_group_af_walk bgpd/bgp_updgrp.c:2062 FRRouting#13 0x562b62f6508c in update_group_walk bgpd/bgp_updgrp.c:2071 FRRouting#14 0x562b62f6520c in update_group_policy_update bgpd/bgp_updgrp.c:1769 FRRouting#15 0x562b62f4c2be in bgp_route_map_process_update bgpd/bgp_routemap.c:4501 FRRouting#16 0x562b62f4d81a in bgp_route_map_process_update_cb bgpd/bgp_routemap.c:4683 FRRouting#17 0x7fd0a45ed7e8 in route_map_walk_update_list lib/routemap.c:870 FRRouting#18 0x562b62f337a2 in bgp_route_map_update_timer bgpd/bgp_routemap.c:4695 FRRouting#19 0x7fd0a463322a in event_call lib/event.c:1970 FRRouting#20 0x7fd0a4576566 in frr_run lib/libfrr.c:1214 FRRouting#21 0x562b62dbd8f1 in main bgpd/bgp_main.c:510 FRRouting#22 0x7fd0a35b8c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Indirect leak of 64 byte(s) in 2 object(s) allocated from: #0 0x7fd0a4b95b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40) #1 0x7fd0a459301f in qmalloc lib/memory.c:100 FRRouting#2 0x562b630b313f in aspath_make_str_count bgpd/bgp_aspath.c:551 FRRouting#3 0x562b630b3ecf in aspath_str_update bgpd/bgp_aspath.c:659 FRRouting#4 0x562b630b88b7 in aspath_prepend bgpd/bgp_aspath.c:1484 FRRouting#5 0x562b62f484a8 in route_set_aspath_prepend bgpd/bgp_routemap.c:2289 FRRouting#6 0x7fd0a45ec39a in route_map_apply_ext lib/routemap.c:2690 FRRouting#7 0x562b62efbb1f in subgroup_announce_check bgpd/bgp_route.c:2434 FRRouting#8 0x562b62efd4e2 in subgroup_process_announce_selected bgpd/bgp_route.c:2990 FRRouting#9 0x562b62f6a829 in subgroup_announce_table bgpd/bgp_updgrp_adv.c:765 FRRouting#10 0x562b62f6acbb in subgroup_announce_route bgpd/bgp_updgrp_adv.c:818 FRRouting#11 0x562b62f6ae90 in subgroup_coalesce_timer bgpd/bgp_updgrp_adv.c:368 FRRouting#12 0x7fd0a463322a in event_call lib/event.c:1970 FRRouting#13 0x7fd0a4576566 in frr_run lib/libfrr.c:1214 FRRouting#14 0x562b62dbd8f1 in main bgpd/bgp_main.c:510 FRRouting#15 0x7fd0a35b8c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Indirect leak of 64 byte(s) in 2 object(s) allocated from: #0 0x7fd0a4b95b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40) #1 0x7fd0a459301f in qmalloc lib/memory.c:100 FRRouting#2 0x562b630b313f in aspath_make_str_count bgpd/bgp_aspath.c:551 FRRouting#3 0x562b630b3ecf in aspath_str_update bgpd/bgp_aspath.c:659 FRRouting#4 0x562b630b88b7 in aspath_prepend bgpd/bgp_aspath.c:1484 FRRouting#5 0x562b62f484a8 in route_set_aspath_prepend bgpd/bgp_routemap.c:2289 FRRouting#6 0x7fd0a45ec39a in route_map_apply_ext lib/routemap.c:2690 FRRouting#7 0x562b62efbb1f in subgroup_announce_check bgpd/bgp_route.c:2434 FRRouting#8 0x562b62efd4e2 in subgroup_process_announce_selected bgpd/bgp_route.c:2990 FRRouting#9 0x562b62f6a829 in subgroup_announce_table bgpd/bgp_updgrp_adv.c:765 FRRouting#10 0x562b62f6acbb in subgroup_announce_route bgpd/bgp_updgrp_adv.c:818 FRRouting#11 0x562b62f5b844 in updgrp_policy_update_walkcb bgpd/bgp_updgrp.c:1685 FRRouting#12 0x562b62f59442 in update_group_walkcb bgpd/bgp_updgrp.c:1721 FRRouting#13 0x7fd0a455a7aa in hash_walk lib/hash.c:270 FRRouting#14 0x562b62f64a48 in update_group_af_walk bgpd/bgp_updgrp.c:2062 FRRouting#15 0x562b62f6508c in update_group_walk bgpd/bgp_updgrp.c:2071 FRRouting#16 0x562b62f6520c in update_group_policy_update bgpd/bgp_updgrp.c:1769 FRRouting#17 0x562b62f4c2be in bgp_route_map_process_update bgpd/bgp_routemap.c:4501 FRRouting#18 0x562b62f4d81a in bgp_route_map_process_update_cb bgpd/bgp_routemap.c:4683 FRRouting#19 0x7fd0a45ed7e8 in route_map_walk_update_list lib/routemap.c:870 FRRouting#20 0x562b62f337a2 in bgp_route_map_update_timer bgpd/bgp_routemap.c:4695 FRRouting#21 0x7fd0a463322a in event_call lib/event.c:1970 FRRouting#22 0x7fd0a4576566 in frr_run lib/libfrr.c:1214 FRRouting#23 0x562b62dbd8f1 in main bgpd/bgp_main.c:510 FRRouting#24 0x7fd0a35b8c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Indirect leak of 48 byte(s) in 2 object(s) allocated from: #0 0x7fd0a4b95d28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) #1 0x7fd0a45932ff in qcalloc lib/memory.c:105 FRRouting#2 0x562b630b280d in assegment_new bgpd/bgp_aspath.c:105 FRRouting#3 0x562b630b28f7 in assegment_dup bgpd/bgp_aspath.c:145 FRRouting#4 0x562b630b29e8 in assegment_dup_all bgpd/bgp_aspath.c:162 FRRouting#5 0x562b630b8895 in aspath_prepend bgpd/bgp_aspath.c:1483 FRRouting#6 0x562b62f484a8 in route_set_aspath_prepend bgpd/bgp_routemap.c:2289 FRRouting#7 0x7fd0a45ec39a in route_map_apply_ext lib/routemap.c:2690 FRRouting#8 0x562b62efbb1f in subgroup_announce_check bgpd/bgp_route.c:2434 FRRouting#9 0x562b62efd4e2 in subgroup_process_announce_selected bgpd/bgp_route.c:2990 FRRouting#10 0x562b62f6a829 in subgroup_announce_table bgpd/bgp_updgrp_adv.c:765 FRRouting#11 0x562b62f6acbb in subgroup_announce_route bgpd/bgp_updgrp_adv.c:818 FRRouting#12 0x562b62f5b844 in updgrp_policy_update_walkcb bgpd/bgp_updgrp.c:1685 FRRouting#13 0x562b62f59442 in update_group_walkcb bgpd/bgp_updgrp.c:1721 FRRouting#14 0x7fd0a455a7aa in hash_walk lib/hash.c:270 FRRouting#15 0x562b62f64a48 in update_group_af_walk bgpd/bgp_updgrp.c:2062 FRRouting#16 0x562b62f6508c in update_group_walk bgpd/bgp_updgrp.c:2071 FRRouting#17 0x562b62f6520c in update_group_policy_update bgpd/bgp_updgrp.c:1769 FRRouting#18 0x562b62f4c2be in bgp_route_map_process_update bgpd/bgp_routemap.c:4501 FRRouting#19 0x562b62f4d81a in bgp_route_map_process_update_cb bgpd/bgp_routemap.c:4683 FRRouting#20 0x7fd0a45ed7e8 in route_map_walk_update_list lib/routemap.c:870 FRRouting#21 0x562b62f337a2 in bgp_route_map_update_timer bgpd/bgp_routemap.c:4695 FRRouting#22 0x7fd0a463322a in event_call lib/event.c:1970 FRRouting#23 0x7fd0a4576566 in frr_run lib/libfrr.c:1214 FRRouting#24 0x562b62dbd8f1 in main bgpd/bgp_main.c:510 FRRouting#25 0x7fd0a35b8c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Indirect leak of 48 byte(s) in 2 object(s) allocated from: #0 0x7fd0a4b95d28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) #1 0x7fd0a45932ff in qcalloc lib/memory.c:105 FRRouting#2 0x562b630b280d in assegment_new bgpd/bgp_aspath.c:105 FRRouting#3 0x562b630b28f7 in assegment_dup bgpd/bgp_aspath.c:145 FRRouting#4 0x562b630b29e8 in assegment_dup_all bgpd/bgp_aspath.c:162 FRRouting#5 0x562b630b8895 in aspath_prepend bgpd/bgp_aspath.c:1483 FRRouting#6 0x562b62f484a8 in route_set_aspath_prepend bgpd/bgp_routemap.c:2289 FRRouting#7 0x7fd0a45ec39a in route_map_apply_ext lib/routemap.c:2690 FRRouting#8 0x562b62efbb1f in subgroup_announce_check bgpd/bgp_route.c:2434 FRRouting#9 0x562b62efd4e2 in subgroup_process_announce_selected bgpd/bgp_route.c:2990 FRRouting#10 0x562b62f6a829 in subgroup_announce_table bgpd/bgp_updgrp_adv.c:765 FRRouting#11 0x562b62f6acbb in subgroup_announce_route bgpd/bgp_updgrp_adv.c:818 FRRouting#12 0x562b62f6ae90 in subgroup_coalesce_timer bgpd/bgp_updgrp_adv.c:368 FRRouting#13 0x7fd0a463322a in event_call lib/event.c:1970 FRRouting#14 0x7fd0a4576566 in frr_run lib/libfrr.c:1214 FRRouting#15 0x562b62dbd8f1 in main bgpd/bgp_main.c:510 FRRouting#16 0x7fd0a35b8c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Indirect leak of 16 byte(s) in 2 object(s) allocated from: #0 0x7fd0a4b95b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40) #1 0x7fd0a459301f in qmalloc lib/memory.c:100 FRRouting#2 0x562b630b2879 in assegment_data_new bgpd/bgp_aspath.c:83 FRRouting#3 0x562b630b2879 in assegment_new bgpd/bgp_aspath.c:108 FRRouting#4 0x562b630b28f7 in assegment_dup bgpd/bgp_aspath.c:145 FRRouting#5 0x562b630b29e8 in assegment_dup_all bgpd/bgp_aspath.c:162 FRRouting#6 0x562b630b8895 in aspath_prepend bgpd/bgp_aspath.c:1483 FRRouting#7 0x562b62f484a8 in route_set_aspath_prepend bgpd/bgp_routemap.c:2289 FRRouting#8 0x7fd0a45ec39a in route_map_apply_ext lib/routemap.c:2690 FRRouting#9 0x562b62efbb1f in subgroup_announce_check bgpd/bgp_route.c:2434 FRRouting#10 0x562b62efd4e2 in subgroup_process_announce_selected bgpd/bgp_route.c:2990 FRRouting#11 0x562b62f6a829 in subgroup_announce_table bgpd/bgp_updgrp_adv.c:765 FRRouting#12 0x562b62f6acbb in subgroup_announce_route bgpd/bgp_updgrp_adv.c:818 FRRouting#13 0x562b62f6ae90 in subgroup_coalesce_timer bgpd/bgp_updgrp_adv.c:368 FRRouting#14 0x7fd0a463322a in event_call lib/event.c:1970 FRRouting#15 0x7fd0a4576566 in frr_run lib/libfrr.c:1214 FRRouting#16 0x562b62dbd8f1 in main bgpd/bgp_main.c:510 FRRouting#17 0x7fd0a35b8c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Indirect leak of 16 byte(s) in 2 object(s) allocated from: #0 0x7fd0a4b95b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40) #1 0x7fd0a459301f in qmalloc lib/memory.c:100 FRRouting#2 0x562b630b2879 in assegment_data_new bgpd/bgp_aspath.c:83 FRRouting#3 0x562b630b2879 in assegment_new bgpd/bgp_aspath.c:108 FRRouting#4 0x562b630b28f7 in assegment_dup bgpd/bgp_aspath.c:145 FRRouting#5 0x562b630b29e8 in assegment_dup_all bgpd/bgp_aspath.c:162 FRRouting#6 0x562b630b8895 in aspath_prepend bgpd/bgp_aspath.c:1483 FRRouting#7 0x562b62f484a8 in route_set_aspath_prepend bgpd/bgp_routemap.c:2289 FRRouting#8 0x7fd0a45ec39a in route_map_apply_ext lib/routemap.c:2690 FRRouting#9 0x562b62efbb1f in subgroup_announce_check bgpd/bgp_route.c:2434 FRRouting#10 0x562b62efd4e2 in subgroup_process_announce_selected bgpd/bgp_route.c:2990 FRRouting#11 0x562b62f6a829 in subgroup_announce_table bgpd/bgp_updgrp_adv.c:765 FRRouting#12 0x562b62f6acbb in subgroup_announce_route bgpd/bgp_updgrp_adv.c:818 FRRouting#13 0x562b62f5b844 in updgrp_policy_update_walkcb bgpd/bgp_updgrp.c:1685 FRRouting#14 0x562b62f59442 in update_group_walkcb bgpd/bgp_updgrp.c:1721 FRRouting#15 0x7fd0a455a7aa in hash_walk lib/hash.c:270 FRRouting#16 0x562b62f64a48 in update_group_af_walk bgpd/bgp_updgrp.c:2062 FRRouting#17 0x562b62f6508c in update_group_walk bgpd/bgp_updgrp.c:2071 FRRouting#18 0x562b62f6520c in update_group_policy_update bgpd/bgp_updgrp.c:1769 FRRouting#19 0x562b62f4c2be in bgp_route_map_process_update bgpd/bgp_routemap.c:4501 FRRouting#20 0x562b62f4d81a in bgp_route_map_process_update_cb bgpd/bgp_routemap.c:4683 FRRouting#21 0x7fd0a45ed7e8 in route_map_walk_update_list lib/routemap.c:870 FRRouting#22 0x562b62f337a2 in bgp_route_map_update_timer bgpd/bgp_routemap.c:4695 FRRouting#23 0x7fd0a463322a in event_call lib/event.c:1970 FRRouting#24 0x7fd0a4576566 in frr_run lib/libfrr.c:1214 FRRouting#25 0x562b62dbd8f1 in main bgpd/bgp_main.c:510 FRRouting#26 0x7fd0a35b8c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) SUMMARY: AddressSanitizer: 416 byte(s) leaked in 16 allocation(s). *********************************************************************************** Signed-off-by: ryndia <dindyalsarvesh@gmail.com>

Fix the following crash when logging from rpki_create_socket(): > #0 raise (sig=<optimized out>) at ../sysdeps/unix/sysv/linux/raise.c:50 > #1 0x00007f6e21723798 in core_handler (signo=6, siginfo=0x7f6e1e502ef0, context=0x7f6e1e502dc0) at lib/sigevent.c:248 > FRRouting#2 <signal handler called> > FRRouting#3 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 > FRRouting#4 0x00007f6e2144e537 in __GI_abort () at abort.c:79 > FRRouting#5 0x00007f6e2176348e in _zlog_assert_failed (xref=0x7f6e2180c920 <_xref.16>, extra=0x0) at lib/zlog.c:670 > FRRouting#6 0x00007f6e216b1eda in rcu_read_lock () at lib/frrcu.c:294 > FRRouting#7 0x00007f6e21762da8 in vzlog_notls (xref=0x0, prio=2, fmt=0x7f6e217afe50 "%s:%d: %s(): assertion (%s) failed", ap=0x7f6e1e504248) at lib/zlog.c:425 > FRRouting#8 0x00007f6e217632fb in vzlogx (xref=0x0, prio=2, fmt=0x7f6e217afe50 "%s:%d: %s(): assertion (%s) failed", ap=0x7f6e1e504248) at lib/zlog.c:627 > FRRouting#9 0x00007f6e217621f5 in zlog (prio=2, fmt=0x7f6e217afe50 "%s:%d: %s(): assertion (%s) failed") at lib/zlog.h:73 > FRRouting#10 0x00007f6e21763596 in _zlog_assert_failed (xref=0x7f6e2180c920 <_xref.16>, extra=0x0) at lib/zlog.c:687 > FRRouting#11 0x00007f6e216b1eda in rcu_read_lock () at lib/frrcu.c:294 > FRRouting#12 0x00007f6e21762da8 in vzlog_notls (xref=0x7f6e21a50040 <_xref.68>, prio=4, fmt=0x7f6e21a4999f "getaddrinfo: debug", ap=0x7f6e1e504878) at lib/zlog.c:425 > FRRouting#13 0x00007f6e217632fb in vzlogx (xref=0x7f6e21a50040 <_xref.68>, prio=4, fmt=0x7f6e21a4999f "getaddrinfo: debug", ap=0x7f6e1e504878) at lib/zlog.c:627 > FRRouting#14 0x00007f6e21a3f774 in zlog_ref (xref=0x7f6e21a50040 <_xref.68>, fmt=0x7f6e21a4999f "getaddrinfo: debug") at ./lib/zlog.h:84 > FRRouting#15 0x00007f6e21a451b2 in rpki_create_socket (_cache=0x55729149cc30) at bgpd/bgp_rpki.c:1337 > FRRouting#16 0x00007f6e2120e7b7 in tr_tcp_open (tr_socket=0x5572914d1520) at rtrlib/rtrlib/transport/tcp/tcp_transport.c:111 > FRRouting#17 0x00007f6e2120e212 in tr_open (socket=0x5572914b5e00) at rtrlib/rtrlib/transport/transport.c:16 > FRRouting#18 0x00007f6e2120faa2 in rtr_fsm_start (rtr_socket=0x557290e17180) at rtrlib/rtrlib/rtr/rtr.c:130 > FRRouting#19 0x00007f6e218b7ea7 in start_thread (arg=<optimized out>) at pthread_create.c:477 > FRRouting#20 0x00007f6e21527a2f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 rpki_create_socket() is a hook function called from the rtrlib library. The issue arises because rtrlib initiates its own separate pthread in which it runs the hook, which does not establish an FRR RCU context. Consequently, this leads to failures in the logging mechanism that relies on RCU. Initialize a new FRR pthread context from the rtrlib pthread with a valid RCU context to allow logging from the rpki_create_socket() and dependent functions. Link: FRRouting#15260 Fixes: a951752 ("bgpd: create cache server socket in vrf") Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com>

This commit ensures proper cleanup by deleting the gm_join_list when a PIM interface is deleted. The gm_join_list was previously not being freed, causing a memory leak. The ASan leak log for reference: ``` *********************************************************************************** Address Sanitizer Error detected in multicast_mld_join_topo1.test_multicast_mld_local_join/r1.asan.pim6d.28070 ================================================================= ==28070==ERROR: LeakSanitizer: detected memory leaks Direct leak of 40 byte(s) in 1 object(s) allocated from: #0 0x7f3605dbfd28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) FRRouting#1 0x56230373dd6b in qcalloc lib/memory.c:105 FRRouting#2 0x56230372180f in list_new lib/linklist.c:49 FRRouting#3 0x56230361b589 in pim_if_gm_join_add pimd/pim_iface.c:1313 FRRouting#4 0x562303642247 in lib_interface_gmp_address_family_static_group_create pimd/pim_nb_config.c:2868 FRRouting#5 0x562303767280 in nb_callback_create lib/northbound.c:1235 FRRouting#6 0x562303767280 in nb_callback_configuration lib/northbound.c:1579 FRRouting#7 0x562303768a1d in nb_transaction_process lib/northbound.c:1710 FRRouting#8 0x56230376904a in nb_candidate_commit_apply lib/northbound.c:1104 FRRouting#9 0x5623037692ba in nb_candidate_commit lib/northbound.c:1137 FRRouting#10 0x562303769dec in nb_cli_classic_commit lib/northbound_cli.c:49 FRRouting#11 0x56230376fb79 in nb_cli_pending_commit_check lib/northbound_cli.c:88 FRRouting#12 0x5623036c5bcb in cmd_execute_command_real lib/command.c:991 FRRouting#13 0x5623036c5f1b in cmd_execute_command lib/command.c:1053 FRRouting#14 0x5623036c6392 in cmd_execute lib/command.c:1221 FRRouting#15 0x5623037e75da in vty_command lib/vty.c:591 FRRouting#16 0x5623037e7a74 in vty_execute lib/vty.c:1354 FRRouting#17 0x5623037f0253 in vtysh_read lib/vty.c:2362 FRRouting#18 0x5623037db4e8 in event_call lib/event.c:1995 FRRouting#19 0x562303720f97 in frr_run lib/libfrr.c:1213 FRRouting#20 0x56230368615d in main pimd/pim6_main.c:184 FRRouting#21 0x7f360461bc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Indirect leak of 192 byte(s) in 4 object(s) allocated from: #0 0x7f3605dbfd28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) FRRouting#1 0x56230373dd6b in qcalloc lib/memory.c:105 FRRouting#2 0x56230361b91d in gm_join_new pimd/pim_iface.c:1288 FRRouting#3 0x56230361b91d in pim_if_gm_join_add pimd/pim_iface.c:1326 FRRouting#4 0x562303642247 in lib_interface_gmp_address_family_static_group_create pimd/pim_nb_config.c:2868 FRRouting#5 0x562303767280 in nb_callback_create lib/northbound.c:1235 FRRouting#6 0x562303767280 in nb_callback_configuration lib/northbound.c:1579 FRRouting#7 0x562303768a1d in nb_transaction_process lib/northbound.c:1710 FRRouting#8 0x56230376904a in nb_candidate_commit_apply lib/northbound.c:1104 FRRouting#9 0x5623037692ba in nb_candidate_commit lib/northbound.c:1137 FRRouting#10 0x562303769dec in nb_cli_classic_commit lib/northbound_cli.c:49 FRRouting#11 0x56230376fb79 in nb_cli_pending_commit_check lib/northbound_cli.c:88 FRRouting#12 0x5623036c5bcb in cmd_execute_command_real lib/command.c:991 FRRouting#13 0x5623036c5f1b in cmd_execute_command lib/command.c:1053 FRRouting#14 0x5623036c6392 in cmd_execute lib/command.c:1221 FRRouting#15 0x5623037e75da in vty_command lib/vty.c:591 FRRouting#16 0x5623037e7a74 in vty_execute lib/vty.c:1354 FRRouting#17 0x5623037f0253 in vtysh_read lib/vty.c:2362 FRRouting#18 0x5623037db4e8 in event_call lib/event.c:1995 FRRouting#19 0x562303720f97 in frr_run lib/libfrr.c:1213 FRRouting#20 0x56230368615d in main pimd/pim6_main.c:184 FRRouting#21 0x7f360461bc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Indirect leak of 96 byte(s) in 4 object(s) allocated from: #0 0x7f3605dbfd28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) FRRouting#1 0x56230373dd6b in qcalloc lib/memory.c:105 FRRouting#2 0x562303721651 in listnode_new lib/linklist.c:71 FRRouting#3 0x56230372182b in listnode_add lib/linklist.c:92 FRRouting#4 0x56230361ba9a in gm_join_new pimd/pim_iface.c:1295 FRRouting#5 0x56230361ba9a in pim_if_gm_join_add pimd/pim_iface.c:1326 FRRouting#6 0x562303642247 in lib_interface_gmp_address_family_static_group_create pimd/pim_nb_config.c:2868 FRRouting#7 0x562303767280 in nb_callback_create lib/northbound.c:1235 FRRouting#8 0x562303767280 in nb_callback_configuration lib/northbound.c:1579 FRRouting#9 0x562303768a1d in nb_transaction_process lib/northbound.c:1710 FRRouting#10 0x56230376904a in nb_candidate_commit_apply lib/northbound.c:1104 FRRouting#11 0x5623037692ba in nb_candidate_commit lib/northbound.c:1137 FRRouting#12 0x562303769dec in nb_cli_classic_commit lib/northbound_cli.c:49 FRRouting#13 0x56230376fb79 in nb_cli_pending_commit_check lib/northbound_cli.c:88 FRRouting#14 0x5623036c5bcb in cmd_execute_command_real lib/command.c:991 FRRouting#15 0x5623036c5f1b in cmd_execute_command lib/command.c:1053 FRRouting#16 0x5623036c6392 in cmd_execute lib/command.c:1221 FRRouting#17 0x5623037e75da in vty_command lib/vty.c:591 FRRouting#18 0x5623037e7a74 in vty_execute lib/vty.c:1354 FRRouting#19 0x5623037f0253 in vtysh_read lib/vty.c:2362 FRRouting#20 0x5623037db4e8 in event_call lib/event.c:1995 FRRouting#21 0x562303720f97 in frr_run lib/libfrr.c:1213 FRRouting#22 0x56230368615d in main pimd/pim6_main.c:184 FRRouting#23 0x7f360461bc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Indirect leak of 48 byte(s) in 1 object(s) allocated from: #0 0x7f3605dbfd28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) FRRouting#1 0x56230373dd6b in qcalloc lib/memory.c:105 FRRouting#2 0x56230361b91d in gm_join_new pimd/pim_iface.c:1288 FRRouting#3 0x56230361b91d in pim_if_gm_join_add pimd/pim_iface.c:1326 FRRouting#4 0x562303642247 in lib_interface_gmp_address_family_static_group_create pimd/pim_nb_config.c:2868 FRRouting#5 0x562303767280 in nb_callback_create lib/northbound.c:1235 FRRouting#6 0x562303767280 in nb_callback_configuration lib/northbound.c:1579 FRRouting#7 0x562303768a1d in nb_transaction_process lib/northbound.c:1710 FRRouting#8 0x56230376904a in nb_candidate_commit_apply lib/northbound.c:1104 FRRouting#9 0x5623037692ba in nb_candidate_commit lib/northbound.c:1137 FRRouting#10 0x562303769dec in nb_cli_classic_commit lib/northbound_cli.c:49 FRRouting#11 0x56230376fb79 in nb_cli_pending_commit_check lib/northbound_cli.c:88 FRRouting#12 0x5623036c5bcb in cmd_execute_command_real lib/command.c:991 FRRouting#13 0x5623036c5f6f in cmd_execute_command lib/command.c:1072 FRRouting#14 0x5623036c6392 in cmd_execute lib/command.c:1221 FRRouting#15 0x5623037e75da in vty_command lib/vty.c:591 FRRouting#16 0x5623037e7a74 in vty_execute lib/vty.c:1354 FRRouting#17 0x5623037f0253 in vtysh_read lib/vty.c:2362 FRRouting#18 0x5623037db4e8 in event_call lib/event.c:1995 FRRouting#19 0x562303720f97 in frr_run lib/libfrr.c:1213 FRRouting#20 0x56230368615d in main pimd/pim6_main.c:184 FRRouting#21 0x7f360461bc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Indirect leak of 24 byte(s) in 1 object(s) allocated from: #0 0x7f3605dbfd28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) FRRouting#1 0x56230373dd6b in qcalloc lib/memory.c:105 FRRouting#2 0x562303721651 in listnode_new lib/linklist.c:71 FRRouting#3 0x56230372182b in listnode_add lib/linklist.c:92 FRRouting#4 0x56230361ba9a in gm_join_new pimd/pim_iface.c:1295 FRRouting#5 0x56230361ba9a in pim_if_gm_join_add pimd/pim_iface.c:1326 FRRouting#6 0x562303642247 in lib_interface_gmp_address_family_static_group_create pimd/pim_nb_config.c:2868 FRRouting#7 0x562303767280 in nb_callback_create lib/northbound.c:1235 FRRouting#8 0x562303767280 in nb_callback_configuration lib/northbound.c:1579 FRRouting#9 0x562303768a1d in nb_transaction_process lib/northbound.c:1710 FRRouting#10 0x56230376904a in nb_candidate_commit_apply lib/northbound.c:1104 FRRouting#11 0x5623037692ba in nb_candidate_commit lib/northbound.c:1137 FRRouting#12 0x562303769dec in nb_cli_classic_commit lib/northbound_cli.c:49 FRRouting#13 0x56230376fb79 in nb_cli_pending_commit_check lib/northbound_cli.c:88 FRRouting#14 0x5623036c5bcb in cmd_execute_command_real lib/command.c:991 FRRouting#15 0x5623036c5f6f in cmd_execute_command lib/command.c:1072 FRRouting#16 0x5623036c6392 in cmd_execute lib/command.c:1221 FRRouting#17 0x5623037e75da in vty_command lib/vty.c:591 FRRouting#18 0x5623037e7a74 in vty_execute lib/vty.c:1354 FRRouting#19 0x5623037f0253 in vtysh_read lib/vty.c:2362 FRRouting#20 0x5623037db4e8 in event_call lib/event.c:1995 FRRouting#21 0x562303720f97 in frr_run lib/libfrr.c:1213 FRRouting#22 0x56230368615d in main pimd/pim6_main.c:184 FRRouting#23 0x7f360461bc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) SUMMARY: AddressSanitizer: 400 byte(s) leaked in 11 allocation(s). *********************************************************************************** ``` Signed-off-by: Keelan Cannoo <keelan.cannoo@icloud.com> (cherry picked from commit 24379f0)

Fix a crash when doing "show isis database detail json" in isis_srv6_topo1 topotest. > #0 raise (sig=<optimized out>) at ../sysdeps/unix/sysv/linux/raise.c:50 > #1 0x00007fad89524e2c in core_handler (signo=6, siginfo=0x7ffe86a4b8b0, context=0x7ffe86a4b780) at lib/sigevent.c:258 > #2 <signal handler called> > #3 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 > FRRouting#4 0x00007fad8904e537 in __GI_abort () at abort.c:79 > FRRouting#5 0x00007fad8904e40f in __assert_fail_base (fmt=0x7fad891c5688 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x7fad8a3e70e8 "json_object_get_type(jso) == json_type_object", > file=0x7fad8a3e7064 "./json_object.c", line=590, function=<optimized out>) at assert.c:92 > FRRouting#6 0x00007fad8905d662 in __GI___assert_fail (assertion=0x7fad8a3e70e8 "json_object_get_type(jso) == json_type_object", file=0x7fad8a3e7064 "./json_object.c", line=590, > function=0x7fad8a3e7440 "json_object_object_add_ex") at assert.c:101 > FRRouting#7 0x00007fad8a3dfe93 in json_object_object_add_ex () from /lib/x86_64-linux-gnu/libjson-c.so.5 > FRRouting#8 0x000055708e3f8f7f in format_subsubtlv_srv6_sid_structure (sid_struct=0x602000172b70, buf=0x0, json=0x6040000a21d0, indent=6) at isisd/isis_tlvs.c:2880 > FRRouting#9 0x000055708e3f9acb in isis_format_subsubtlvs (subsubtlvs=0x602000172b50, buf=0x0, json=0x6040000a21d0, indent=6) at isisd/isis_tlvs.c:3022 > FRRouting#10 0x000055708e3eefb0 in format_item_ext_subtlvs (exts=0x614000047440, buf=0x0, json=0x6040000a2190, indent=2, mtid=2) at isisd/isis_tlvs.c:1313 > FRRouting#11 0x000055708e3fd599 in format_item_extended_reach (mtid=2, i=0x60300015aed0, buf=0x0, json=0x6040000a1bd0, indent=0) at isisd/isis_tlvs.c:3763 > FRRouting#12 0x000055708e40d46a in format_item (mtid=2, context=ISIS_CONTEXT_LSP, type=ISIS_TLV_MT_REACH, i=0x60300015aed0, buf=0x0, json=0x6040000a1bd0, indent=0) at isisd/isis_tlvs.c:6789 > FRRouting#13 0x000055708e40d4fc in format_items_ (mtid=2, context=ISIS_CONTEXT_LSP, type=ISIS_TLV_MT_REACH, items=0x60600021d160, buf=0x0, json=0x6040000a1bd0, indent=0) at isisd/isis_tlvs.c:6804 > FRRouting#14 0x000055708e40edbc in format_mt_items (context=ISIS_CONTEXT_LSP, type=ISIS_TLV_MT_REACH, m=0x6180000845d8, buf=0x0, json=0x6040000a1bd0, indent=0) at isisd/isis_tlvs.c:7147 > FRRouting#15 0x000055708e4111e9 in format_tlvs (tlvs=0x618000084480, buf=0x0, json=0x6040000a1bd0, indent=0) at isisd/isis_tlvs.c:7572 > FRRouting#16 0x000055708e4114ce in isis_format_tlvs (tlvs=0x618000084480, json=0x6040000a1bd0) at isisd/isis_tlvs.c:7613 > FRRouting#17 0x000055708e36f167 in lsp_print_detail (lsp=0x612000058b40, vty=0x0, json=0x6040000a1bd0, dynhost=1 '\001', isis=0x60d00001f800) at isisd/isis_lsp.c:785 > FRRouting#18 0x000055708e36f31f in lsp_print_all (vty=0x0, json=0x6040000a0490, head=0x61f000005488, detail=1 '\001', dynhost=1 '\001', isis=0x60d00001f800) at isisd/isis_lsp.c:820 > FRRouting#19 0x000055708e4379fc in show_isis_database_lspdb_json (json=0x6040000a0450, area=0x61f000005480, level=0, lspdb=0x61f000005488, sysid_str=0x0, ui_level=1) at isisd/isisd.c:2683 > FRRouting#20 0x000055708e437ef9 in show_isis_database_json (json=0x6040000a0310, sysid_str=0x0, ui_level=1, isis=0x60d00001f800) at isisd/isisd.c:2754 > FRRouting#21 0x000055708e438357 in show_isis_database_common (vty=0x62e000060400, json=0x6040000a0310, sysid_str=0x0, ui_level=1, isis=0x60d00001f800) at isisd/isisd.c:2788 > FRRouting#22 0x000055708e438591 in show_isis_database (vty=0x62e000060400, json=0x6040000a0310, sysid_str=0x0, ui_level=1, vrf_name=0x7fad89806300 <vrf_default_name> "default", all_vrf=false) > at isisd/isisd.c:2825 > FRRouting#23 0x000055708e43891d in show_database (self=0x55708e5519c0 <show_database_cmd>, vty=0x62e000060400, argc=5, argv=0x6040000a02d0) at isisd/isisd.c:2855 > FRRouting#24 0x00007fad893a9767 in cmd_execute_command_real (vline=0x60300015f220, vty=0x62e000060400, cmd=0x0, up_level=0) at lib/command.c:1002 > FRRouting#25 0x00007fad893a9adc in cmd_execute_command (vline=0x60300015f220, vty=0x62e000060400, cmd=0x0, vtysh=0) at lib/command.c:1061 > FRRouting#26 0x00007fad893aa728 in cmd_execute (vty=0x62e000060400, cmd=0x621000025900 "show isis database detail json ", matched=0x0, vtysh=0) at lib/command.c:1227 Note that prior to 2e670cd, there was also a crash when several SRv6 End SIDs were present. Fixes: 2e670cd ("isisd: fix display of srv6 subsubtlvs") Fixes: 648a158 ("isisd: Add SRv6 End.X SID to Sub-TLV format func") Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com>

Fix a crash when doing "show isis database detail json" in isis_srv6_topo1 topotest. > #0 raise (sig=<optimized out>) at ../sysdeps/unix/sysv/linux/raise.c:50 > #1 0x00007fad89524e2c in core_handler (signo=6, siginfo=0x7ffe86a4b8b0, context=0x7ffe86a4b780) at lib/sigevent.c:258 > #2 <signal handler called> > #3 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 > FRRouting#4 0x00007fad8904e537 in __GI_abort () at abort.c:79 > FRRouting#5 0x00007fad8904e40f in __assert_fail_base (fmt=0x7fad891c5688 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x7fad8a3e70e8 "json_object_get_type(jso) == json_type_object", > file=0x7fad8a3e7064 "./json_object.c", line=590, function=<optimized out>) at assert.c:92 > FRRouting#6 0x00007fad8905d662 in __GI___assert_fail (assertion=0x7fad8a3e70e8 "json_object_get_type(jso) == json_type_object", file=0x7fad8a3e7064 "./json_object.c", line=590, > function=0x7fad8a3e7440 "json_object_object_add_ex") at assert.c:101 > FRRouting#7 0x00007fad8a3dfe93 in json_object_object_add_ex () from /lib/x86_64-linux-gnu/libjson-c.so.5 > FRRouting#8 0x000055708e3f8f7f in format_subsubtlv_srv6_sid_structure (sid_struct=0x602000172b70, buf=0x0, json=0x6040000a21d0, indent=6) at isisd/isis_tlvs.c:2880 > FRRouting#9 0x000055708e3f9acb in isis_format_subsubtlvs (subsubtlvs=0x602000172b50, buf=0x0, json=0x6040000a21d0, indent=6) at isisd/isis_tlvs.c:3022 > FRRouting#10 0x000055708e3eefb0 in format_item_ext_subtlvs (exts=0x614000047440, buf=0x0, json=0x6040000a2190, indent=2, mtid=2) at isisd/isis_tlvs.c:1313 > FRRouting#11 0x000055708e3fd599 in format_item_extended_reach (mtid=2, i=0x60300015aed0, buf=0x0, json=0x6040000a1bd0, indent=0) at isisd/isis_tlvs.c:3763 > FRRouting#12 0x000055708e40d46a in format_item (mtid=2, context=ISIS_CONTEXT_LSP, type=ISIS_TLV_MT_REACH, i=0x60300015aed0, buf=0x0, json=0x6040000a1bd0, indent=0) at isisd/isis_tlvs.c:6789 > FRRouting#13 0x000055708e40d4fc in format_items_ (mtid=2, context=ISIS_CONTEXT_LSP, type=ISIS_TLV_MT_REACH, items=0x60600021d160, buf=0x0, json=0x6040000a1bd0, indent=0) at isisd/isis_tlvs.c:6804 > FRRouting#14 0x000055708e40edbc in format_mt_items (context=ISIS_CONTEXT_LSP, type=ISIS_TLV_MT_REACH, m=0x6180000845d8, buf=0x0, json=0x6040000a1bd0, indent=0) at isisd/isis_tlvs.c:7147 > FRRouting#15 0x000055708e4111e9 in format_tlvs (tlvs=0x618000084480, buf=0x0, json=0x6040000a1bd0, indent=0) at isisd/isis_tlvs.c:7572 > FRRouting#16 0x000055708e4114ce in isis_format_tlvs (tlvs=0x618000084480, json=0x6040000a1bd0) at isisd/isis_tlvs.c:7613 > FRRouting#17 0x000055708e36f167 in lsp_print_detail (lsp=0x612000058b40, vty=0x0, json=0x6040000a1bd0, dynhost=1 '\001', isis=0x60d00001f800) at isisd/isis_lsp.c:785 > FRRouting#18 0x000055708e36f31f in lsp_print_all (vty=0x0, json=0x6040000a0490, head=0x61f000005488, detail=1 '\001', dynhost=1 '\001', isis=0x60d00001f800) at isisd/isis_lsp.c:820 > FRRouting#19 0x000055708e4379fc in show_isis_database_lspdb_json (json=0x6040000a0450, area=0x61f000005480, level=0, lspdb=0x61f000005488, sysid_str=0x0, ui_level=1) at isisd/isisd.c:2683 > FRRouting#20 0x000055708e437ef9 in show_isis_database_json (json=0x6040000a0310, sysid_str=0x0, ui_level=1, isis=0x60d00001f800) at isisd/isisd.c:2754 > FRRouting#21 0x000055708e438357 in show_isis_database_common (vty=0x62e000060400, json=0x6040000a0310, sysid_str=0x0, ui_level=1, isis=0x60d00001f800) at isisd/isisd.c:2788 > FRRouting#22 0x000055708e438591 in show_isis_database (vty=0x62e000060400, json=0x6040000a0310, sysid_str=0x0, ui_level=1, vrf_name=0x7fad89806300 <vrf_default_name> "default", all_vrf=false) > at isisd/isisd.c:2825 > FRRouting#23 0x000055708e43891d in show_database (self=0x55708e5519c0 <show_database_cmd>, vty=0x62e000060400, argc=5, argv=0x6040000a02d0) at isisd/isisd.c:2855 > FRRouting#24 0x00007fad893a9767 in cmd_execute_command_real (vline=0x60300015f220, vty=0x62e000060400, cmd=0x0, up_level=0) at lib/command.c:1002 > FRRouting#25 0x00007fad893a9adc in cmd_execute_command (vline=0x60300015f220, vty=0x62e000060400, cmd=0x0, vtysh=0) at lib/command.c:1061 > FRRouting#26 0x00007fad893aa728 in cmd_execute (vty=0x62e000060400, cmd=0x621000025900 "show isis database detail json ", matched=0x0, vtysh=0) at lib/command.c:1227 Note that prior to 2e670cd, there was no crash but only the last "srv6-sid-structure" was displayed. A "srv6-sid-structure" should be displayed for each "sid". This commit also fix this. Was: > "srv6-lan-endx-sid": [ > { > "sid": "fc00:0:1:1::", > "weight": 0, > "algorithm": "SPF", > "neighbor-id": "0000.0000.0002" > }, > { > "sid": "fc00:0:1:2::", > "weight": 0, > "algorithm": "SPF", > "neighbor-id": "0000.0000.0003" > } > ], > "srv6-sid-structure": { > "loc-block-len": 32, > "loc-node-len": 16, > "func-len": 16, > "arg-len": 0 > }, Now (srv6-sid-structure are identical but they are not always): > "srv6-lan-endx-sid": [ > { > "sid": "fc00:0:1:1::", > "algorithm": "SPF", > "neighbor-id": "0000.0000.0002", > "srv6-sid-structure": { > "loc-block-len": 32, > "loc-node-len": 16, > "func-len": 8, > "arg-len": 0 > }, > }, > { > "sid": "fc00:0:1:2::", > "algorithm": "SPF", > "neighbor-id": "0000.0000.0003", > "srv6-sid-structure": { > "loc-block-len": 32, > "loc-node-len": 16, > "func-len": 16, > "arg-len": 0 > }, > } > ], Fixes: 2e670cd ("isisd: fix display of srv6 subsubtlvs") Fixes: 648a158 ("isisd: Add SRv6 End.X SID to Sub-TLV format func") Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com>

Fix the following crash when pim options are (un)configured on an non-existent interface. > r1(config)# int fgljdsf > r1(config-if)# no ip pim unicast-bsm > vtysh: error reading from pimd: Connection reset by peer (104)Warning: closing connection to pimd because of an I/O error! > #0 raise (sig=<optimized out>) at ../sysdeps/unix/sysv/linux/raise.c:50 > #1 0x00007f70c8f32249 in core_handler (signo=11, siginfo=0x7fffff88e4f0, context=0x7fffff88e3c0) at lib/sigevent.c:258 > #2 <signal handler called> > #3 0x0000556cfdd9b16d in lib_interface_pim_address_family_unicast_bsm_modify (args=0x7fffff88f130) at pimd/pim_nb_config.c:1910 > FRRouting#4 0x00007f70c8efdcb5 in nb_callback_modify (context=0x556d00032b60, nb_node=0x556cffeeb9b0, event=NB_EV_APPLY, dnode=0x556d00031670, resource=0x556d00032b48, errmsg=0x7fffff88f710 "", errmsg_len=8192) > at lib/northbound.c:1538 > FRRouting#5 0x00007f70c8efe949 in nb_callback_configuration (context=0x556d00032b60, event=NB_EV_APPLY, change=0x556d00032b10, errmsg=0x7fffff88f710 "", errmsg_len=8192) at lib/northbound.c:1888 > FRRouting#6 0x00007f70c8efee82 in nb_transaction_process (event=NB_EV_APPLY, transaction=0x556d00032b60, errmsg=0x7fffff88f710 "", errmsg_len=8192) at lib/northbound.c:2016 > FRRouting#7 0x00007f70c8efd658 in nb_candidate_commit_apply (transaction=0x556d00032b60, save_transaction=true, transaction_id=0x0, errmsg=0x7fffff88f710 "", errmsg_len=8192) at lib/northbound.c:1356 > FRRouting#8 0x00007f70c8efd78e in nb_candidate_commit (context=..., candidate=0x556cffeb0e80, save_transaction=true, comment=0x0, transaction_id=0x0, errmsg=0x7fffff88f710 "", errmsg_len=8192) at lib/northbound.c:1389 > FRRouting#9 0x00007f70c8f03e58 in nb_cli_classic_commit (vty=0x556d00025a80) at lib/northbound_cli.c:51 > FRRouting#10 0x00007f70c8f043f8 in nb_cli_apply_changes_internal (vty=0x556d00025a80, > xpath_base=0x7fffff893bb0 "/frr-interface:lib/interface[name='fgljdsf']/frr-pim:pim/address-family[address-family='frr-routing:ipv4']", clear_pending=false) at lib/northbound_cli.c:178 > FRRouting#11 0x00007f70c8f0475d in nb_cli_apply_changes (vty=0x556d00025a80, xpath_base_fmt=0x556cfdde9fe0 "./frr-pim:pim/address-family[address-family='%s']") at lib/northbound_cli.c:234 > FRRouting#12 0x0000556cfdd8298f in pim_process_no_unicast_bsm_cmd (vty=0x556d00025a80) at pimd/pim_cmd_common.c:3493 > FRRouting#13 0x0000556cfddcf782 in no_ip_pim_ucast_bsm (self=0x556cfde40b20 <no_ip_pim_ucast_bsm_cmd>, vty=0x556d00025a80, argc=4, argv=0x556d00031500) at pimd/pim_cmd.c:4950 > FRRouting#14 0x00007f70c8e942f0 in cmd_execute_command_real (vline=0x556d00032070, vty=0x556d00025a80, cmd=0x0, up_level=0) at lib/command.c:1002 > FRRouting#15 0x00007f70c8e94451 in cmd_execute_command (vline=0x556d00032070, vty=0x556d00025a80, cmd=0x0, vtysh=0) at lib/command.c:1061 > FRRouting#16 0x00007f70c8e9499f in cmd_execute (vty=0x556d00025a80, cmd=0x556d00030320 "no ip pim unicast-bsm", matched=0x0, vtysh=0) at lib/command.c:1227 > FRRouting#17 0x00007f70c8f51e44 in vty_command (vty=0x556d00025a80, buf=0x556d00030320 "no ip pim unicast-bsm") at lib/vty.c:616 > FRRouting#18 0x00007f70c8f53bdd in vty_execute (vty=0x556d00025a80) at lib/vty.c:1379 > FRRouting#19 0x00007f70c8f55d59 in vtysh_read (thread=0x7fffff896600) at lib/vty.c:2374 > FRRouting#20 0x00007f70c8f4b209 in event_call (thread=0x7fffff896600) at lib/event.c:2011 > FRRouting#21 0x00007f70c8ed109e in frr_run (master=0x556cffdb4ea0) at lib/libfrr.c:1217 > FRRouting#22 0x0000556cfdddec12 in main (argc=2, argv=0x7fffff896828, envp=0x7fffff896840) at pimd/pim_main.c:165 > (gdb) f 3 > #3 0x0000556cfdd9b16d in lib_interface_pim_address_family_unicast_bsm_modify (args=0x7fffff88f130) at pimd/pim_nb_config.c:1910 > 1910 pim_ifp->ucast_bsm_accept = > (gdb) list > 1905 case NB_EV_ABORT: > 1906 break; > 1907 case NB_EV_APPLY: > 1908 ifp = nb_running_get_entry(args->dnode, NULL, true); > 1909 pim_ifp = ifp->info; > 1910 pim_ifp->ucast_bsm_accept = > 1911 yang_dnode_get_bool(args->dnode, NULL); > 1912 > 1913 break; > 1914 } > (gdb) p pim_ifp > $1 = (struct pim_interface *) 0x0 Fixes: 3bb513c ("lib: adapt to version 2 of libyang") Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com>

eqvinox added this to the 2.0-rc1 milestone Dec 20, 2016

donaldsharp modified the milestones: 2.0-rc2, 2.0-rc1 Jan 17, 2017

donaldsharp assigned eqvinox and rwestphal Jan 31, 2017

donaldsharp closed this as completed Feb 2, 2017

mdash-vmware mentioned this issue Oct 8, 2018

BGPd crashed on 2 routers while running Topotest "test_bgp_l3vpn_to_bgp_vrf.py" #3144

Closed

karamalla0406 mentioned this issue Nov 14, 2018

BGP daemon crash a L2VNI in unconfigured #3333

Closed

cfra referenced this issue in opensourcerouting/frr Nov 29, 2018

Merge pull request #19 from opensourcerouting/mpls-module-check

44dd822

Add check for mpls module to more places

louberger mentioned this issue May 1, 2019

Zebra diet #4236

Merged

donaldsharp mentioned this issue Jul 1, 2020

description line in route-maps leaks memory #6659

Closed

This was referenced Oct 16, 2020

zebra: Fix use after free in debug path #7330

Merged

[7.5]zebra: Fix use after free in debug path #7331

Merged

gpnaveen mentioned this issue Jan 21, 2021

[FRR OSPFv2] OSPFd Coredump seen at ospf_ls_upd_send in ASBR summarisation topotest is executed (Pull Req : 7096) #7895

Closed

rgirada mentioned this issue Jul 20, 2021

ospfd: ospfd crash while giving 'clear ip ospf neighbor' #9093

Merged

ranjanyash54 pushed a commit to ranjanyash54/frr that referenced this issue Aug 18, 2021

Merge pull request FRRouting#19 from pushpasis/new

e0f0c84

lib: fix cmgd commit-apply delay.

wangshengjun mentioned this issue Nov 12, 2021

zebra: add the parameter check to avoid zebra crash issue which cause… #10041

Closed

gpnaveen pushed a commit to gpnaveen/frr that referenced this issue May 31, 2022

Merge pull request FRRouting#19 from wesl-ee/origin/qol-simple-fixups

eeb6dbf

qing8717 mentioned this issue Mar 18, 2023

yang: In some special configure，the command [show yang operational-data /frr-vrf:lib zebra] leads to segmentfault error #13029

Closed

louis-6wind mentioned this issue Jan 31, 2024

bgpd,lib: fix logging from rpki_create_socket() #15265

Merged

louis-6wind mentioned this issue Jun 28, 2024

pimd: fix crash on non-existent interface #16309

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Zebra is ignoring IPv6 link-local addresses on recent Linux kernels #19

Zebra is ignoring IPv6 link-local addresses on recent Linux kernels #19

NetDEF-CI commented Dec 19, 2016

donaldsharp commented Jan 10, 2017

rwestphal commented Feb 2, 2017

dsahern commented Feb 2, 2017

donaldsharp commented Feb 2, 2017

rwestphal commented Feb 2, 2017

Zebra is ignoring IPv6 link-local addresses on recent Linux kernels #19

Zebra is ignoring IPv6 link-local addresses on recent Linux kernels #19

Comments

NetDEF-CI commented Dec 19, 2016

donaldsharp commented Jan 10, 2017

rwestphal commented Feb 2, 2017

dsahern commented Feb 2, 2017

donaldsharp commented Feb 2, 2017

rwestphal commented Feb 2, 2017