bgpd: Fix double-free crash in peer_delete() during doppelganger peer… (backport #20661)#20682
Merged
ton31337 merged 1 commit intostable/10.5from Feb 4, 2026
Merged
Conversation
… transfer In peer_xfer_conn(), the hostname, domainname, and soft_version pointers were transferred between peers using simple pointer assignment, which caused both peers to reference the same memory. If the transfer didn't complete cleanly or there was a race condition during peer state transitions, when both peers were eventually deleted, the same memory was freed twice, causing a crash. Fix this by using XSTRDUP() to create independent copies of the strings instead of transferring pointer ownership. This ensures each peer owns its own memory and can be safely deleted independently. Crash was seen intermittently when removing interface-based BGP neighbors from peer-groups after the session reached Established state. example: no neighbor swp3 interface peer-group fabric Backtrace: #0 0x00007fc88b41aeec in ?? () from /lib/x86_64-linux-gnu/libc.so.6 #1 0x00007fc88b3cbfb2 in raise () from /lib/x86_64-linux-gnu/libc.so.6 #2 0x00007fc88b70045c in core_handler (signo=11, siginfo=0x7fffbdee6c30, context=<optimized out>) at ../lib/sigevent.c:261 #3 <signal handler called> #4 0x00007fc88b429d49 in malloc_usable_size () from /lib/x86_64-linux-gnu/libc.so.6 #5 0x00007fc88b6c99f9 in mt_count_free (ptr=0x55ff594d9320, mt=0x55ff25046460 <MTYPE_BGP_PEER_HOST>) at ../lib/memory.c:77 #6 qfree (mt=0x55ff25046460 <MTYPE_BGP_PEER_HOST>, ptr=0x55ff594d9320) at ../lib/memory.c:129 #7 0x000055ff24eac802 in peer_delete (peer=peer@entry=0x55ff5941d770) at ../bgpd/bgpd.c:2864 #8 0x000055ff24e65982 in no_neighbor_interface_config (...) at ../bgpd/bgp_vty.c:5862 #9 0x00007fc88b695ab0 in cmd_execute_command_real (...) at ../lib/command.c:1018 #10 0x00007fc88b695bae in cmd_execute_command (...) at ../lib/command.c:1076 #11 0x00007fc88b695e40 in cmd_execute (vty=..., cmd=no neighbor swp3 interface peer-group test_gr_shut, ...) at ../lib/command.c:1243 Ticket: #20628 Signed-off-by: Rajesh Varatharaj <rvaratharaj@nvidia.com> (cherry picked from commit 27064f7)
|
Target branch is not in the allowed branches list. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
… transfer
In peer_xfer_conn(), the hostname, domainname, and soft_version pointers were transferred between peers using simple pointer assignment, which caused both peers to reference the same memory. If the transfer didn't complete cleanly or there was a race condition during peer state transitions, when both peers were eventually deleted, the same memory was freed twice, causing a crash.
Fix this by using XSTRDUP() to create independent copies of the strings instead of transferring pointer ownership. This ensures each peer owns its own memory and can be safely deleted independently.
Crash was seen intermittently when removing interface-based BGP neighbors from peer-groups after the session reached Established state. example: no neighbor swp3 interface peer-group fabric
Backtrace:
#0 0x00007fc88b41aeec in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#1 0x00007fc88b3cbfb2 in raise () from /lib/x86_64-linux-gnu/libc.so.6
#2 0x00007fc88b70045c in core_handler (signo=11, siginfo=0x7fffbdee6c30, context=<optimized out>) at ../lib/sigevent.c:261
#3 <signal handler called>
#4 0x00007fc88b429d49 in malloc_usable_size () from /lib/x86_64-linux-gnu/libc.so.6
#5 0x00007fc88b6c99f9 in mt_count_free (ptr=0x55ff594d9320, mt=0x55ff25046460 <MTYPE_BGP_PEER_HOST>) at ../lib/memory.c:77
#6 qfree (mt=0x55ff25046460 <MTYPE_BGP_PEER_HOST>, ptr=0x55ff594d9320) at ../lib/memory.c:129
#7 0x000055ff24eac802 in peer_delete (peer=peer@entry=0x55ff5941d770) at ../bgpd/bgpd.c:2864
#8 0x000055ff24e65982 in no_neighbor_interface_config (...) at ../bgpd/bgp_vty.c:5862
#9 0x00007fc88b695ab0 in cmd_execute_command_real (...) at ../lib/command.c:1018
#10 0x00007fc88b695bae in cmd_execute_command (...) at ../lib/command.c:1076
#11 0x00007fc88b695e40 in cmd_execute (vty=..., cmd="no neighbor swp3 interface peer-group test_gr_shut", ...) at ../lib/command.c:1243
Ticket: #20628
Signed-off-by: Rajesh Varatharaj rvaratharaj@nvidia.com
This is an automatic backport of pull request #20661 done by Mergify.