zebra: fix sanitizer report of freed es use during zebra shutdown

================================================================= ==24764==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d0000115c8 at pc 0x55cb9cfad312 bp 0x7fffa0552140 sp 0x7fffa0552138 READ of size 8 at 0x60d0000115c8 thread T0 #0 0x55cb9cfad311 in zebra_evpn_remote_es_flush zebra/zebra_evpn_mh.c:2041 #1 0x55cb9cfad311 in zebra_evpn_es_cleanup zebra/zebra_evpn_mh.c:2234 #2 0x55cb9cf6ae78 in zebra_vrf_disable zebra/zebra_vrf.c:205 #3 0x7fc8d478f114 in vrf_delete lib/vrf.c:229 #4 0x7fc8d478f99a in vrf_terminate lib/vrf.c:541 #5 0x55cb9ceba0af in sigint zebra/main.c:176 #6 0x55cb9ceba0af in sigint zebra/main.c:130 #7 0x7fc8d4765d20 in quagga_sigevent_process lib/sigevent.c:103 #8 0x7fc8d4787e8c in thread_fetch lib/thread.c:1396 #9 0x7fc8d4708782 in frr_run lib/libfrr.c:1092 FRRouting#10 0x55cb9ce931d8 in main zebra/main.c:488 FRRouting#11 0x7fc8d43ee09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a) FRRouting#12 0x55cb9ce94c09 in _start (/usr/lib/frr/zebra+0x8ac09) ================================================================= Signed-off-by: Anuradha Karuppiah <anuradhak@cumulusnetworks.com>
qlyoung · May 31, 2020 · a7bfebb · a7bfebb
1 parent c70b309
commit a7bfebb
Showing 1 changed file with 11 additions and 9 deletions.
diff --git a/zebra/zebra_evpn_mh.c b/zebra/zebra_evpn_mh.c
@@ -62,7 +62,7 @@ DEFINE_MTYPE_STATIC(ZEBRA, L2_NH, "L2 nexthop");
 static void zebra_evpn_es_get_one_base_evpn(void);
 static int zebra_evpn_es_evi_send_to_client(struct zebra_evpn_es *es,
 		zebra_evpn_t *zevpn, bool add);
-static void zebra_evpn_local_es_del(struct zebra_evpn_es *es);
+static struct zebra_evpn_es *zebra_evpn_local_es_del(struct zebra_evpn_es *es);
 static int zebra_evpn_local_es_update(struct zebra_if *zif, uint32_t lid,
 		struct ethaddr *sysmac);
 static bool zebra_evpn_es_br_port_dplane_update(struct zebra_evpn_es *es,
@@ -1982,13 +1982,14 @@ static void zebra_evpn_es_local_info_set(struct zebra_evpn_es *es,
 	zebra_evpn_mh_update_protodown_es(es);
 }
 
-static void zebra_evpn_es_local_info_clear(struct zebra_evpn_es *es)
+static struct zebra_evpn_es *zebra_evpn_es_local_info_clear(
+		struct zebra_evpn_es *es)
 {
 	struct zebra_if *zif;
 	bool dplane_updated = false;
 
 	if (!(es->flags & ZEBRA_EVPNES_LOCAL))
-		return;
+		return es;
 
 	es->flags &= ~(ZEBRA_EVPNES_LOCAL |
 					ZEBRA_EVPNES_READY_FOR_BGP);
@@ -2021,19 +2022,19 @@ static void zebra_evpn_es_local_info_clear(struct zebra_evpn_es *es)
 	list_delete_node(zmh_info->local_es_list, &es->local_es_listnode);
 
 	/* free up the ES if there is no remote reference */
-	zebra_evpn_es_free(es);
+	return zebra_evpn_es_free(es);
 }
 
 /* Delete an ethernet segment and inform BGP */
-static void zebra_evpn_local_es_del(struct zebra_evpn_es *es)
+static struct zebra_evpn_es *zebra_evpn_local_es_del(struct zebra_evpn_es *es)
 {
 	struct zebra_evpn_es_evi *es_evi;
 	struct listnode *node = NULL;
 	struct listnode *nnode = NULL;
 	struct zebra_if *zif;
 
 	if (!CHECK_FLAG(es->flags, ZEBRA_EVPNES_LOCAL))
-		return;
+		return es;
 
 	if (IS_ZEBRA_DEBUG_EVPN_MH_ES) {
 		zif = es->zif;
@@ -2050,7 +2051,7 @@ static void zebra_evpn_local_es_del(struct zebra_evpn_es *es)
 	if (es->flags & ZEBRA_EVPNES_READY_FOR_BGP)
 		zebra_evpn_es_send_del_to_client(es);
 
-	zebra_evpn_es_local_info_clear(es);
+	return zebra_evpn_es_local_info_clear(es);
 }
 
 /* eval remote info associated with the ES */
@@ -2358,8 +2359,9 @@ void zebra_evpn_es_cleanup(void)
 
 	RB_FOREACH_SAFE(es, zebra_es_rb_head,
 			&zmh_info->es_rb_tree, es_next) {
-		zebra_evpn_local_es_del(es);
-		zebra_evpn_remote_es_flush(es);
+		es = zebra_evpn_local_es_del(es);
+		if (es)
+			zebra_evpn_remote_es_flush(es);
 	}
 }