From a7bfebb440797ad011847e183b9f48f3505ed46a Mon Sep 17 00:00:00 2001 From: Anuradha Karuppiah Date: Sun, 31 May 2020 08:03:14 -0700 Subject: [PATCH] zebra: fix sanitizer report of freed es use during zebra shutdown ================================================================= ==24764==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d0000115c8 at pc 0x55cb9cfad312 bp 0x7fffa0552140 sp 0x7fffa0552138 READ of size 8 at 0x60d0000115c8 thread T0 #0 0x55cb9cfad311 in zebra_evpn_remote_es_flush zebra/zebra_evpn_mh.c:2041 #1 0x55cb9cfad311 in zebra_evpn_es_cleanup zebra/zebra_evpn_mh.c:2234 #2 0x55cb9cf6ae78 in zebra_vrf_disable zebra/zebra_vrf.c:205 #3 0x7fc8d478f114 in vrf_delete lib/vrf.c:229 #4 0x7fc8d478f99a in vrf_terminate lib/vrf.c:541 #5 0x55cb9ceba0af in sigint zebra/main.c:176 #6 0x55cb9ceba0af in sigint zebra/main.c:130 #7 0x7fc8d4765d20 in quagga_sigevent_process lib/sigevent.c:103 #8 0x7fc8d4787e8c in thread_fetch lib/thread.c:1396 #9 0x7fc8d4708782 in frr_run lib/libfrr.c:1092 #10 0x55cb9ce931d8 in main zebra/main.c:488 #11 0x7fc8d43ee09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a) #12 0x55cb9ce94c09 in _start (/usr/lib/frr/zebra+0x8ac09) ================================================================= Signed-off-by: Anuradha Karuppiah --- zebra/zebra_evpn_mh.c | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/zebra/zebra_evpn_mh.c b/zebra/zebra_evpn_mh.c index cab7729674e5..a508f266a51a 100644 --- a/zebra/zebra_evpn_mh.c +++ b/zebra/zebra_evpn_mh.c @@ -62,7 +62,7 @@ DEFINE_MTYPE_STATIC(ZEBRA, L2_NH, "L2 nexthop"); static void zebra_evpn_es_get_one_base_evpn(void); static int zebra_evpn_es_evi_send_to_client(struct zebra_evpn_es *es, zebra_evpn_t *zevpn, bool add); -static void zebra_evpn_local_es_del(struct zebra_evpn_es *es); +static struct zebra_evpn_es *zebra_evpn_local_es_del(struct zebra_evpn_es *es); static int zebra_evpn_local_es_update(struct zebra_if *zif, uint32_t lid, struct ethaddr *sysmac); static bool zebra_evpn_es_br_port_dplane_update(struct zebra_evpn_es *es, @@ -1982,13 +1982,14 @@ static void zebra_evpn_es_local_info_set(struct zebra_evpn_es *es, zebra_evpn_mh_update_protodown_es(es); } -static void zebra_evpn_es_local_info_clear(struct zebra_evpn_es *es) +static struct zebra_evpn_es *zebra_evpn_es_local_info_clear( + struct zebra_evpn_es *es) { struct zebra_if *zif; bool dplane_updated = false; if (!(es->flags & ZEBRA_EVPNES_LOCAL)) - return; + return es; es->flags &= ~(ZEBRA_EVPNES_LOCAL | ZEBRA_EVPNES_READY_FOR_BGP); @@ -2021,11 +2022,11 @@ static void zebra_evpn_es_local_info_clear(struct zebra_evpn_es *es) list_delete_node(zmh_info->local_es_list, &es->local_es_listnode); /* free up the ES if there is no remote reference */ - zebra_evpn_es_free(es); + return zebra_evpn_es_free(es); } /* Delete an ethernet segment and inform BGP */ -static void zebra_evpn_local_es_del(struct zebra_evpn_es *es) +static struct zebra_evpn_es *zebra_evpn_local_es_del(struct zebra_evpn_es *es) { struct zebra_evpn_es_evi *es_evi; struct listnode *node = NULL; @@ -2033,7 +2034,7 @@ static void zebra_evpn_local_es_del(struct zebra_evpn_es *es) struct zebra_if *zif; if (!CHECK_FLAG(es->flags, ZEBRA_EVPNES_LOCAL)) - return; + return es; if (IS_ZEBRA_DEBUG_EVPN_MH_ES) { zif = es->zif; @@ -2050,7 +2051,7 @@ static void zebra_evpn_local_es_del(struct zebra_evpn_es *es) if (es->flags & ZEBRA_EVPNES_READY_FOR_BGP) zebra_evpn_es_send_del_to_client(es); - zebra_evpn_es_local_info_clear(es); + return zebra_evpn_es_local_info_clear(es); } /* eval remote info associated with the ES */ @@ -2358,8 +2359,9 @@ void zebra_evpn_es_cleanup(void) RB_FOREACH_SAFE(es, zebra_es_rb_head, &zmh_info->es_rb_tree, es_next) { - zebra_evpn_local_es_del(es); - zebra_evpn_remote_es_flush(es); + es = zebra_evpn_local_es_del(es); + if (es) + zebra_evpn_remote_es_flush(es); } }