ldpd should display interfaces in order consistent with the rest of the routing protocols #18

NetDEF-CI · 2016-12-19T09:07:15Z

Issue by donaldsharp
Friday Dec 09, 2016 at 17:53 GMT
Originally opened as https://github.com/opensourcerouting/cumulus-private_quagga/issues/12

mpls ldp
router-id 6.0.0.3
!
address-family ipv4
discovery transport-address 6.0.0.3
!
interface swp4
!
interface swp3
!
interface swp2
!
interface swp1
!
!
!

We should have a sorted list as is the case for other routing protocols.

rwestphal · 2016-12-21T21:36:42Z

Fix available on: https://github.com/opensourcerouting/frr/commits/ldpd-ordered-output

donaldsharp · 2017-01-07T00:52:47Z

Fix committed into develop

Fixes to run topotest on ARM7 testbeds (and more reliable on other systems)

When zebra is running with debugs turned on there is a use after free reported by the address sanitizer: 2020/10/16 12:58:02 ZEBRA: rib_delnode: (0:254):4.5.6.16/32: rn 0x60b000026f20, re 0x6080000131a0, removing 2020/10/16 12:58:02 ZEBRA: rib_meta_queue_add: (0:254):4.5.6.16/32: queued rn 0x60b000026f20 into sub-queue 3 ================================================================= ==3101430==ERROR: AddressSanitizer: heap-use-after-free on address 0x608000011d28 at pc 0x555555705ab6 bp 0x7fffffffdab0 sp 0x7fffffffdaa8 READ of size 8 at 0x608000011d28 thread T0 #0 0x555555705ab5 in re_list_const_first zebra/rib.h:222 #1 0x555555705b54 in re_list_first zebra/rib.h:222 #2 0x555555711a4f in process_subq_route zebra/zebra_rib.c:2248 #3 0x555555711d2e in process_subq zebra/zebra_rib.c:2286 #4 0x555555711ec7 in meta_queue_process zebra/zebra_rib.c:2320 #5 0x7ffff74701f7 in work_queue_run lib/workqueue.c:291 #6 0x7ffff7450e9c in thread_call lib/thread.c:1581 #7 0x7ffff738eaf7 in frr_run lib/libfrr.c:1099 #8 0x55555561a578 in main zebra/main.c:455 #9 0x7ffff7079cc9 in __libc_start_main ../csu/libc-start.c:308 #10 0x5555555e3429 in _start (/usr/lib/frr/zebra+0x8f429) 0x608000011d28 is located 8 bytes inside of 88-byte region [0x608000011d20,0x608000011d78) freed by thread T0 here: #0 0x7ffff768bb6f in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.6+0xa9b6f) #1 0x7ffff739ccad in qfree lib/memory.c:129 #2 0x555555709ee4 in rib_gc_dest zebra/zebra_rib.c:746 #3 0x55555570ca76 in rib_process zebra/zebra_rib.c:1240 #4 0x555555711a05 in process_subq_route zebra/zebra_rib.c:2245 #5 0x555555711d2e in process_subq zebra/zebra_rib.c:2286 #6 0x555555711ec7 in meta_queue_process zebra/zebra_rib.c:2320 #7 0x7ffff74701f7 in work_queue_run lib/workqueue.c:291 #8 0x7ffff7450e9c in thread_call lib/thread.c:1581 #9 0x7ffff738eaf7 in frr_run lib/libfrr.c:1099 #10 0x55555561a578 in main zebra/main.c:455 #11 0x7ffff7079cc9 in __libc_start_main ../csu/libc-start.c:308 previously allocated by thread T0 here: #0 0x7ffff768c037 in calloc (/lib/x86_64-linux-gnu/libasan.so.6+0xaa037) #1 0x7ffff739cb98 in qcalloc lib/memory.c:110 #2 0x555555712ace in zebra_rib_create_dest zebra/zebra_rib.c:2515 #3 0x555555712c6c in rib_link zebra/zebra_rib.c:2576 #4 0x555555712faa in rib_addnode zebra/zebra_rib.c:2607 #5 0x555555715bf0 in rib_add_multipath_nhe zebra/zebra_rib.c:3012 #6 0x555555715f56 in rib_add_multipath zebra/zebra_rib.c:3049 #7 0x55555571788b in rib_add zebra/zebra_rib.c:3327 #8 0x5555555e584a in connected_up zebra/connected.c:254 #9 0x5555555e42ff in connected_announce zebra/connected.c:94 #10 0x5555555e4fd3 in connected_update zebra/connected.c:195 #11 0x5555555e61ad in connected_add_ipv4 zebra/connected.c:340 #12 0x5555555f26f5 in netlink_interface_addr zebra/if_netlink.c:1213 #13 0x55555560f756 in netlink_information_fetch zebra/kernel_netlink.c:350 #14 0x555555612e49 in netlink_parse_info zebra/kernel_netlink.c:941 #15 0x55555560f9f1 in kernel_read zebra/kernel_netlink.c:402 #16 0x7ffff7450e9c in thread_call lib/thread.c:1581 #17 0x7ffff738eaf7 in frr_run lib/libfrr.c:1099 #18 0x55555561a578 in main zebra/main.c:455 #19 0x7ffff7079cc9 in __libc_start_main ../csu/libc-start.c:308 SUMMARY: AddressSanitizer: heap-use-after-free zebra/rib.h:222 in re_list_const_first This is happening because we are using the dest pointer after a call into rib_gc_dest. In process_subq_route, we call rib_process() and if the dest is deleted dest pointer is now garbage. We must reload the dest pointer in this case. Signed-off-by: Donald Sharp <sharpd@nvidia.com>

When zebra is running with debugs turned on there is a use after free reported by the address sanitizer: 2020/10/16 12:58:02 ZEBRA: rib_delnode: (0:254):4.5.6.16/32: rn 0x60b000026f20, re 0x6080000131a0, removing 2020/10/16 12:58:02 ZEBRA: rib_meta_queue_add: (0:254):4.5.6.16/32: queued rn 0x60b000026f20 into sub-queue 3 ================================================================= ==3101430==ERROR: AddressSanitizer: heap-use-after-free on address 0x608000011d28 at pc 0x555555705ab6 bp 0x7fffffffdab0 sp 0x7fffffffdaa8 READ of size 8 at 0x608000011d28 thread T0 #0 0x555555705ab5 in re_list_const_first zebra/rib.h:222 FRRouting#1 0x555555705b54 in re_list_first zebra/rib.h:222 FRRouting#2 0x555555711a4f in process_subq_route zebra/zebra_rib.c:2248 FRRouting#3 0x555555711d2e in process_subq zebra/zebra_rib.c:2286 FRRouting#4 0x555555711ec7 in meta_queue_process zebra/zebra_rib.c:2320 FRRouting#5 0x7ffff74701f7 in work_queue_run lib/workqueue.c:291 FRRouting#6 0x7ffff7450e9c in thread_call lib/thread.c:1581 FRRouting#7 0x7ffff738eaf7 in frr_run lib/libfrr.c:1099 FRRouting#8 0x55555561a578 in main zebra/main.c:455 FRRouting#9 0x7ffff7079cc9 in __libc_start_main ../csu/libc-start.c:308 FRRouting#10 0x5555555e3429 in _start (/usr/lib/frr/zebra+0x8f429) 0x608000011d28 is located 8 bytes inside of 88-byte region [0x608000011d20,0x608000011d78) freed by thread T0 here: #0 0x7ffff768bb6f in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.6+0xa9b6f) FRRouting#1 0x7ffff739ccad in qfree lib/memory.c:129 FRRouting#2 0x555555709ee4 in rib_gc_dest zebra/zebra_rib.c:746 FRRouting#3 0x55555570ca76 in rib_process zebra/zebra_rib.c:1240 FRRouting#4 0x555555711a05 in process_subq_route zebra/zebra_rib.c:2245 FRRouting#5 0x555555711d2e in process_subq zebra/zebra_rib.c:2286 FRRouting#6 0x555555711ec7 in meta_queue_process zebra/zebra_rib.c:2320 FRRouting#7 0x7ffff74701f7 in work_queue_run lib/workqueue.c:291 FRRouting#8 0x7ffff7450e9c in thread_call lib/thread.c:1581 FRRouting#9 0x7ffff738eaf7 in frr_run lib/libfrr.c:1099 FRRouting#10 0x55555561a578 in main zebra/main.c:455 FRRouting#11 0x7ffff7079cc9 in __libc_start_main ../csu/libc-start.c:308 previously allocated by thread T0 here: #0 0x7ffff768c037 in calloc (/lib/x86_64-linux-gnu/libasan.so.6+0xaa037) FRRouting#1 0x7ffff739cb98 in qcalloc lib/memory.c:110 FRRouting#2 0x555555712ace in zebra_rib_create_dest zebra/zebra_rib.c:2515 FRRouting#3 0x555555712c6c in rib_link zebra/zebra_rib.c:2576 FRRouting#4 0x555555712faa in rib_addnode zebra/zebra_rib.c:2607 FRRouting#5 0x555555715bf0 in rib_add_multipath_nhe zebra/zebra_rib.c:3012 FRRouting#6 0x555555715f56 in rib_add_multipath zebra/zebra_rib.c:3049 FRRouting#7 0x55555571788b in rib_add zebra/zebra_rib.c:3327 FRRouting#8 0x5555555e584a in connected_up zebra/connected.c:254 FRRouting#9 0x5555555e42ff in connected_announce zebra/connected.c:94 FRRouting#10 0x5555555e4fd3 in connected_update zebra/connected.c:195 FRRouting#11 0x5555555e61ad in connected_add_ipv4 zebra/connected.c:340 FRRouting#12 0x5555555f26f5 in netlink_interface_addr zebra/if_netlink.c:1213 FRRouting#13 0x55555560f756 in netlink_information_fetch zebra/kernel_netlink.c:350 FRRouting#14 0x555555612e49 in netlink_parse_info zebra/kernel_netlink.c:941 FRRouting#15 0x55555560f9f1 in kernel_read zebra/kernel_netlink.c:402 FRRouting#16 0x7ffff7450e9c in thread_call lib/thread.c:1581 FRRouting#17 0x7ffff738eaf7 in frr_run lib/libfrr.c:1099 FRRouting#18 0x55555561a578 in main zebra/main.c:455 FRRouting#19 0x7ffff7079cc9 in __libc_start_main ../csu/libc-start.c:308 SUMMARY: AddressSanitizer: heap-use-after-free zebra/rib.h:222 in re_list_const_first This is happening because we are using the dest pointer after a call into rib_gc_dest. In process_subq_route, we call rib_process() and if the dest is deleted dest pointer is now garbage. We must reload the dest pointer in this case. Signed-off-by: Donald Sharp <sharpd@nvidia.com>

Temporal fix Thread 2.1 "bgpd" received signal SIGSEGV, Segmentation fault. 0x00007ffff7b14180 in route_top (table=0x0) at lib/table.c:401 401 if (table->top == NULL) (gdb) bt \#0 0x00007ffff7b14180 in route_top (table=0x0) at lib/table.c:401 \#1 0x0000555555657286 in bgp_table_top (table=0x55555629c440) at ./bgpd/bgp_table.h:203 \#2 0x0000555555666dd0 in bgp_soft_reconfig_table_flag (srta=0x55555bc68fd0, flag=false) at bgpd/bgp_route.c:4669 \#3 0x0000555555666f5e in bgp_soft_reconfig_table_thread_cancel (nsrta=0x0, bgp=0x5555562767a0) at bgpd/bgp_route.c:4698 \FRRouting#4 0x00005555556e9463 in bgp_delete (bgp=0x5555562767a0) at bgpd/bgpd.c:3482 \FRRouting#5 0x00005555556f9ae5 in bgp_router_destroy (args=0x7fffffff6b90) at bgpd/bgp_nb_config.c:176 \FRRouting#6 0x00007ffff7ad985d in nb_callback_destroy (context=0x7fffffff7180, nb_node=0x555555c0c580, event=NB_EV_APPLY, dnode=0x5555563cdbf0, errmsg=0x7fffffff7190 "", errmsg_len=8192) at lib/northbound.c:970 \FRRouting#7 0x00007ffff7ada17a in nb_callback_configuration (context=0x7fffffff7180, event=NB_EV_APPLY, change=0x55555d5aa560, errmsg=0x7fffffff7190 "", errmsg_len=8192) at lib/northbound.c:1195 \FRRouting#8 0x00007ffff7ada564 in nb_transaction_process (event=NB_EV_APPLY, transaction=0x55556a6ed510, errmsg=0x7fffffff7190 "", errmsg_len=8192) at lib/northbound.c:1312 \FRRouting#9 0x00007ffff7ad900b in nb_candidate_commit_apply (transaction=0x55556a6ed510, save_transaction=true, transaction_id=0x0, errmsg=0x7fffffff7190 "", errmsg_len=8192) at lib/northbound.c:745 \FRRouting#10 0x00007ffff7ad912e in nb_candidate_commit (context=0x7fffffff7180, candidate=0x555555bddd00, save_transaction=true, comment=0x0, transaction_id=0x0, errmsg=0x7fffffff7190 "", errmsg_len=8192) at lib/northbound.c:777 \FRRouting#11 0x00007ffff7ae0249 in nb_cli_classic_commit (vty=0x555557b62790) at lib/northbound_cli.c:64 \FRRouting#12 0x00007ffff7ae0cce in nb_cli_apply_changes (vty=0x555557b62790, xpath_base_fmt=0x7fffffffb730 "/frr-routing:routing/control-plane-protocols/control-plane-protocol[type='frr-bgp:bgp'][name='bgp'][vrf='default']/frr-bgp:bgp") at lib/northbound_cli.c:281 \FRRouting#13 0x00005555556a01e6 in no_router_bgp (self=0x555555a28140 <no_router_bgp_cmd>, vty=0x555557b62790, argc=3, argv=0x555560be1bd0) at bgpd/bgp_vty.c:1466 \FRRouting#14 0x00007ffff7a90ebc in cmd_execute_command_real (vline=0x55556635c140, filter=FILTER_RELAXED, vty=0x555557b62790, cmd=0x0) at lib/command.c:938 \FRRouting#15 0x00007ffff7a91031 in cmd_execute_command (vline=0x55556635c140, vty=0x555557b62790, cmd=0x0, vtysh=0) at lib/command.c:997 \FRRouting#16 0x00007ffff7a91586 in cmd_execute (vty=0x555557b62790, cmd=0x555557b68f20 "no router bgp", matched=0x0, vtysh=0) at lib/command.c:1162 \FRRouting#17 0x00007ffff7b228f9 in vty_command (vty=0x555557b62790, buf=0x555557b68f20 "no router bgp") at lib/vty.c:517 \FRRouting#18 0x00007ffff7b2465b in vty_execute (vty=0x555557b62790) at lib/vty.c:1282 \FRRouting#19 0x00007ffff7b2656e in vtysh_read (thread=0x7fffffffe2e0) at lib/vty.c:2120 \FRRouting#20 0x00007ffff7b1bd23 in thread_call (thread=0x7fffffffe2e0) at lib/thread.c:1681 \FRRouting#21 0x00007ffff7ac7fc2 in frr_run (master=0x555555a6aab0) at lib/libfrr.c:1110 \FRRouting#22 0x00005555555d88b2 in main (argc=4, argv=0x7fffffffe518) at bgpd/bgp_main.c:523 Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com>

When zebra is running with debugs turned on there is a use after free reported by the address sanitizer: 2020/10/16 12:58:02 ZEBRA: rib_delnode: (0:254):4.5.6.16/32: rn 0x60b000026f20, re 0x6080000131a0, removing 2020/10/16 12:58:02 ZEBRA: rib_meta_queue_add: (0:254):4.5.6.16/32: queued rn 0x60b000026f20 into sub-queue 3 ================================================================= ==3101430==ERROR: AddressSanitizer: heap-use-after-free on address 0x608000011d28 at pc 0x555555705ab6 bp 0x7fffffffdab0 sp 0x7fffffffdaa8 READ of size 8 at 0x608000011d28 thread T0 #0 0x555555705ab5 in re_list_const_first zebra/rib.h:222 #1 0x555555705b54 in re_list_first zebra/rib.h:222 #2 0x555555711a4f in process_subq_route zebra/zebra_rib.c:2248 FRRouting#3 0x555555711d2e in process_subq zebra/zebra_rib.c:2286 FRRouting#4 0x555555711ec7 in meta_queue_process zebra/zebra_rib.c:2320 FRRouting#5 0x7ffff74701f7 in work_queue_run lib/workqueue.c:291 FRRouting#6 0x7ffff7450e9c in thread_call lib/thread.c:1581 FRRouting#7 0x7ffff738eaf7 in frr_run lib/libfrr.c:1099 FRRouting#8 0x55555561a578 in main zebra/main.c:455 FRRouting#9 0x7ffff7079cc9 in __libc_start_main ../csu/libc-start.c:308 FRRouting#10 0x5555555e3429 in _start (/usr/lib/frr/zebra+0x8f429) 0x608000011d28 is located 8 bytes inside of 88-byte region [0x608000011d20,0x608000011d78) freed by thread T0 here: #0 0x7ffff768bb6f in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.6+0xa9b6f) #1 0x7ffff739ccad in qfree lib/memory.c:129 #2 0x555555709ee4 in rib_gc_dest zebra/zebra_rib.c:746 FRRouting#3 0x55555570ca76 in rib_process zebra/zebra_rib.c:1240 FRRouting#4 0x555555711a05 in process_subq_route zebra/zebra_rib.c:2245 FRRouting#5 0x555555711d2e in process_subq zebra/zebra_rib.c:2286 FRRouting#6 0x555555711ec7 in meta_queue_process zebra/zebra_rib.c:2320 FRRouting#7 0x7ffff74701f7 in work_queue_run lib/workqueue.c:291 FRRouting#8 0x7ffff7450e9c in thread_call lib/thread.c:1581 FRRouting#9 0x7ffff738eaf7 in frr_run lib/libfrr.c:1099 FRRouting#10 0x55555561a578 in main zebra/main.c:455 FRRouting#11 0x7ffff7079cc9 in __libc_start_main ../csu/libc-start.c:308 previously allocated by thread T0 here: #0 0x7ffff768c037 in calloc (/lib/x86_64-linux-gnu/libasan.so.6+0xaa037) #1 0x7ffff739cb98 in qcalloc lib/memory.c:110 #2 0x555555712ace in zebra_rib_create_dest zebra/zebra_rib.c:2515 FRRouting#3 0x555555712c6c in rib_link zebra/zebra_rib.c:2576 FRRouting#4 0x555555712faa in rib_addnode zebra/zebra_rib.c:2607 FRRouting#5 0x555555715bf0 in rib_add_multipath_nhe zebra/zebra_rib.c:3012 FRRouting#6 0x555555715f56 in rib_add_multipath zebra/zebra_rib.c:3049 FRRouting#7 0x55555571788b in rib_add zebra/zebra_rib.c:3327 FRRouting#8 0x5555555e584a in connected_up zebra/connected.c:254 FRRouting#9 0x5555555e42ff in connected_announce zebra/connected.c:94 FRRouting#10 0x5555555e4fd3 in connected_update zebra/connected.c:195 FRRouting#11 0x5555555e61ad in connected_add_ipv4 zebra/connected.c:340 FRRouting#12 0x5555555f26f5 in netlink_interface_addr zebra/if_netlink.c:1213 FRRouting#13 0x55555560f756 in netlink_information_fetch zebra/kernel_netlink.c:350 FRRouting#14 0x555555612e49 in netlink_parse_info zebra/kernel_netlink.c:941 FRRouting#15 0x55555560f9f1 in kernel_read zebra/kernel_netlink.c:402 FRRouting#16 0x7ffff7450e9c in thread_call lib/thread.c:1581 FRRouting#17 0x7ffff738eaf7 in frr_run lib/libfrr.c:1099 FRRouting#18 0x55555561a578 in main zebra/main.c:455 FRRouting#19 0x7ffff7079cc9 in __libc_start_main ../csu/libc-start.c:308 SUMMARY: AddressSanitizer: heap-use-after-free zebra/rib.h:222 in re_list_const_first This is happening because we are using the dest pointer after a call into rib_gc_dest. In process_subq_route, we call rib_process() and if the dest is deleted dest pointer is now garbage. We must reload the dest pointer in this case. Signed-off-by: Donald Sharp <sharpd@nvidia.com>

cmgd: delete-config command

ASAN reported the following memleak: ``` Direct leak of 40 byte(s) in 1 object(s) allocated from: #0 0x4d4342 in calloc (/usr/lib/frr/bgpd+0x4d4342) FRRouting#1 0xbc3d68 in qcalloc /home/sharpd/frr8/lib/memory.c:116:27 FRRouting#2 0xb869f7 in list_new /home/sharpd/frr8/lib/linklist.c:64:9 FRRouting#3 0x5a38bc in bgp_evpn_remote_ip_hash_alloc /home/sharpd/frr8/bgpd/bgp_evpn.c:6789:24 FRRouting#4 0xb358d3 in hash_get /home/sharpd/frr8/lib/hash.c:162:13 FRRouting#5 0x593d39 in bgp_evpn_remote_ip_hash_add /home/sharpd/frr8/bgpd/bgp_evpn.c:6881:7 FRRouting#6 0x59dbbd in install_evpn_route_entry_in_vni_common /home/sharpd/frr8/bgpd/bgp_evpn.c:3049:2 FRRouting#7 0x59cfe0 in install_evpn_route_entry_in_vni_ip /home/sharpd/frr8/bgpd/bgp_evpn.c:3126:8 FRRouting#8 0x59c6f0 in install_evpn_route_entry /home/sharpd/frr8/bgpd/bgp_evpn.c:3318:8 FRRouting#9 0x59bb52 in install_uninstall_route_in_vnis /home/sharpd/frr8/bgpd/bgp_evpn.c:3888:10 FRRouting#10 0x59b6d2 in bgp_evpn_install_uninstall_table /home/sharpd/frr8/bgpd/bgp_evpn.c:4019:5 FRRouting#11 0x578857 in install_uninstall_evpn_route /home/sharpd/frr8/bgpd/bgp_evpn.c:4051:9 FRRouting#12 0x58ada6 in bgp_evpn_import_route /home/sharpd/frr8/bgpd/bgp_evpn.c:6049:9 FRRouting#13 0x713794 in bgp_update /home/sharpd/frr8/bgpd/bgp_route.c:4842:3 FRRouting#14 0x583fa0 in process_type2_route /home/sharpd/frr8/bgpd/bgp_evpn.c:4518:9 FRRouting#15 0x5824ba in bgp_nlri_parse_evpn /home/sharpd/frr8/bgpd/bgp_evpn.c:5732:8 FRRouting#16 0x6ae6a2 in bgp_nlri_parse /home/sharpd/frr8/bgpd/bgp_packet.c:363:10 FRRouting#17 0x6be6fa in bgp_update_receive /home/sharpd/frr8/bgpd/bgp_packet.c:2020:15 FRRouting#18 0x6b7433 in bgp_process_packet /home/sharpd/frr8/bgpd/bgp_packet.c:2929:11 FRRouting#19 0xd00146 in thread_call /home/sharpd/frr8/lib/thread.c:2006:2 ``` The list itself was not being cleaned up when the final list entry was removed, so make sure we do that instead of leaking memory. Signed-off-by: Trey Aspelund <taspelund@nvidia.com>

A BGP crash happens when the 'show bgp label-nexthop' is executed, on a BGP VRF configuration with the 'label vpn export allocation-mode per-nexthop' command configured. > (gdb) bt > #0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=140039420118912) at ./nptl/pthread_kill.c:44 > FRRouting#1 __pthread_kill_internal (signo=6, threadid=140039420118912) at ./nptl/pthread_kill.c:78 > FRRouting#2 __GI___pthread_kill (threadid=140039420118912, signo=signo@entry=6) at ./nptl/pthread_kill.c:89 > FRRouting#3 0x00007f5d78063476 in __GI_raise (sig=6) at ../sysdeps/posix/raise.c:26 > FRRouting#4 0x00007f5d78448705 in core_handler (signo=6, siginfo=0x7ffffe2e0f70, context=0x7ffffe2e0e40) > at /build/make-pkg/output/_packages/cp-routing/src/lib/sigevent.c:262 > FRRouting#5 <signal handler called> > FRRouting#6 __pthread_kill_implementation (no_tid=0, signo=6, threadid=140039420118912) at ./nptl/pthread_kill.c:44 > FRRouting#7 __pthread_kill_internal (signo=6, threadid=140039420118912) at ./nptl/pthread_kill.c:78 > FRRouting#8 __GI___pthread_kill (threadid=140039420118912, signo=signo@entry=6) at ./nptl/pthread_kill.c:89 > FRRouting#9 0x00007f5d78063476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 > FRRouting#10 0x00007f5d780497f3 in __GI_abort () at ./stdlib/abort.c:79 > FRRouting#11 0x00007f5d7848872f in _zlog_assert_failed (xref=0x5605f59a4ec0 <_xref.9>, extra=0x0) > at /build/make-pkg/output/_packages/cp-routing/src/lib/zlog.c:557 > FRRouting#12 0x00005605f57ad3ab in show_bgp_nexthop_label_afi (vty=0x5605f79138e0, afi=AFI_IP, bgp=0x5605f7855090, detail=true) > at /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_labelpool.c:1071 > FRRouting#13 0x00005605f57ad62a in show_bgp_nexthop_label (self=0x5605f59a4920 <show_bgp_nexthop_label_cmd>, vty=0x5605f79138e0, argc=6, argv=0x5605f77c5cc0) > at /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_labelpool.c:1116 > FRRouting#14 0x00007f5d783bb858 in cmd_execute_command_real (vline=0x5605f791c060, filter=FILTER_RELAXED, vty=0x5605f79138e0, cmd=0x0, up_level=0) > at /build/make-pkg/output/_packages/cp-routing/src/lib/command.c:1070 > FRRouting#15 0x00007f5d783bb9dd in cmd_execute_command (vline=0x5605f791c060, vty=0x5605f79138e0, cmd=0x0, vtysh=0) > at /build/make-pkg/output/_packages/cp-routing/src/lib/command.c:1130 > FRRouting#16 0x00007f5d783bbf8a in cmd_execute (vty=0x5605f79138e0, cmd=0x5605f791a010 "show bgp vrf vrf1 label-nexthop detail", matched=0x0, vtysh=0) > at /build/make-pkg/output/_packages/cp-routing/src/lib/command.c:1294 > FRRouting#17 0x00007f5d7846965c in vty_command (vty=0x5605f79138e0, buf=0x5605f791a010 "show bgp vrf vrf1 label-nexthop detail") > at /build/make-pkg/output/_packages/cp-routing/src/lib/vty.c:530 > FRRouting#18 0x00007f5d7846b52c in vty_execute (vty=0x5605f79138e0) at /build/make-pkg/output/_packages/cp-routing/src/lib/vty.c:1296 > FRRouting#19 0x00007f5d7846d508 in vtysh_read (thread=0x7ffffe2e4410) at /build/make-pkg/output/_packages/cp-routing/src/lib/vty.c:2137 > FRRouting#20 0x00007f5d78461fe6 in thread_call (thread=0x7ffffe2e4410) at /build/make-pkg/output/_packages/cp-routing/src/lib/thread.c:1825 > > (gdb) frame 12 > FRRouting#12 0x00005605f57ad3ab in show_bgp_nexthop_label_afi (vty=0x5605f79138e0, afi=AFI_IP, bgp=0x5605f7855090, detail=true) > at /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_labelpool.c:1071 > This crash is a segmentation fault: the 'path' pointer is not a valid pointer; consequently, the 'dest' and the 'table' pointer are also invalid. The 'path' pointer is a 'bgp_path_info' structure previously freed when a peer down event occured. The 'show bgp label-nexthop' command was attempting to dump the 'bgp_path_info' entries referenced in the 'bgp_label_per_nexthop_cache' entries. As the 'bgp_path_info' entries were invalid, the crash happened. To illustrate, the below dump shows 3 path entries linked to the '192.0.2.11' next-hop, whereas the '192.0.2.11' peer has been removed. > dut-vm# show bgp vrf vrf1 label-nexthop > Current BGP label nexthop cache for IPv4, VRF VRF vrf1 > 192.0.2.11, label 20 #paths 3 > if r1-eth1 > Last update: Wed May 24 15:16:21 2023 > dut-vm# show bgp vrf vrf1 label-nexthop detail > <-- crash When the 'bgp_path_info' entries are freed, the 'bgp_mplsvpn_path_nh_label_unlink()' function is called. The 'pi->net' pointer is needed to check the BGP RIB table is the SAFI_UNICAST routing table, and to de-reference the 'bgp_labl_per_nexthop_cache' entry from the 'bgp_path_info' entry. In this case, the 'pi->net' was unset. Fix this by introducing a new 'mplsvpn_usage' field to determine if the 'bgp_path_info' structure contains a 'bgp_mplsvpn_label_nh' structure. Fixes: ("bgpd: allocate label bound to received mpls vpn routes") Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>

This commit ensures proper cleanup by deleting the gm_join_list when a PIM interface is deleted. The gm_join_list was previously not being freed, causing a memory leak. The ASan leak log for reference: ``` *********************************************************************************** Address Sanitizer Error detected in multicast_mld_join_topo1.test_multicast_mld_local_join/r1.asan.pim6d.28070 ================================================================= ==28070==ERROR: LeakSanitizer: detected memory leaks Direct leak of 40 byte(s) in 1 object(s) allocated from: #0 0x7f3605dbfd28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) FRRouting#1 0x56230373dd6b in qcalloc lib/memory.c:105 FRRouting#2 0x56230372180f in list_new lib/linklist.c:49 FRRouting#3 0x56230361b589 in pim_if_gm_join_add pimd/pim_iface.c:1313 FRRouting#4 0x562303642247 in lib_interface_gmp_address_family_static_group_create pimd/pim_nb_config.c:2868 FRRouting#5 0x562303767280 in nb_callback_create lib/northbound.c:1235 FRRouting#6 0x562303767280 in nb_callback_configuration lib/northbound.c:1579 FRRouting#7 0x562303768a1d in nb_transaction_process lib/northbound.c:1710 FRRouting#8 0x56230376904a in nb_candidate_commit_apply lib/northbound.c:1104 FRRouting#9 0x5623037692ba in nb_candidate_commit lib/northbound.c:1137 FRRouting#10 0x562303769dec in nb_cli_classic_commit lib/northbound_cli.c:49 FRRouting#11 0x56230376fb79 in nb_cli_pending_commit_check lib/northbound_cli.c:88 FRRouting#12 0x5623036c5bcb in cmd_execute_command_real lib/command.c:991 FRRouting#13 0x5623036c5f1b in cmd_execute_command lib/command.c:1053 FRRouting#14 0x5623036c6392 in cmd_execute lib/command.c:1221 FRRouting#15 0x5623037e75da in vty_command lib/vty.c:591 FRRouting#16 0x5623037e7a74 in vty_execute lib/vty.c:1354 FRRouting#17 0x5623037f0253 in vtysh_read lib/vty.c:2362 FRRouting#18 0x5623037db4e8 in event_call lib/event.c:1995 FRRouting#19 0x562303720f97 in frr_run lib/libfrr.c:1213 FRRouting#20 0x56230368615d in main pimd/pim6_main.c:184 FRRouting#21 0x7f360461bc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Indirect leak of 192 byte(s) in 4 object(s) allocated from: #0 0x7f3605dbfd28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) FRRouting#1 0x56230373dd6b in qcalloc lib/memory.c:105 FRRouting#2 0x56230361b91d in gm_join_new pimd/pim_iface.c:1288 FRRouting#3 0x56230361b91d in pim_if_gm_join_add pimd/pim_iface.c:1326 FRRouting#4 0x562303642247 in lib_interface_gmp_address_family_static_group_create pimd/pim_nb_config.c:2868 FRRouting#5 0x562303767280 in nb_callback_create lib/northbound.c:1235 FRRouting#6 0x562303767280 in nb_callback_configuration lib/northbound.c:1579 FRRouting#7 0x562303768a1d in nb_transaction_process lib/northbound.c:1710 FRRouting#8 0x56230376904a in nb_candidate_commit_apply lib/northbound.c:1104 FRRouting#9 0x5623037692ba in nb_candidate_commit lib/northbound.c:1137 FRRouting#10 0x562303769dec in nb_cli_classic_commit lib/northbound_cli.c:49 FRRouting#11 0x56230376fb79 in nb_cli_pending_commit_check lib/northbound_cli.c:88 FRRouting#12 0x5623036c5bcb in cmd_execute_command_real lib/command.c:991 FRRouting#13 0x5623036c5f1b in cmd_execute_command lib/command.c:1053 FRRouting#14 0x5623036c6392 in cmd_execute lib/command.c:1221 FRRouting#15 0x5623037e75da in vty_command lib/vty.c:591 FRRouting#16 0x5623037e7a74 in vty_execute lib/vty.c:1354 FRRouting#17 0x5623037f0253 in vtysh_read lib/vty.c:2362 FRRouting#18 0x5623037db4e8 in event_call lib/event.c:1995 FRRouting#19 0x562303720f97 in frr_run lib/libfrr.c:1213 FRRouting#20 0x56230368615d in main pimd/pim6_main.c:184 FRRouting#21 0x7f360461bc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Indirect leak of 96 byte(s) in 4 object(s) allocated from: #0 0x7f3605dbfd28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) FRRouting#1 0x56230373dd6b in qcalloc lib/memory.c:105 FRRouting#2 0x562303721651 in listnode_new lib/linklist.c:71 FRRouting#3 0x56230372182b in listnode_add lib/linklist.c:92 FRRouting#4 0x56230361ba9a in gm_join_new pimd/pim_iface.c:1295 FRRouting#5 0x56230361ba9a in pim_if_gm_join_add pimd/pim_iface.c:1326 FRRouting#6 0x562303642247 in lib_interface_gmp_address_family_static_group_create pimd/pim_nb_config.c:2868 FRRouting#7 0x562303767280 in nb_callback_create lib/northbound.c:1235 FRRouting#8 0x562303767280 in nb_callback_configuration lib/northbound.c:1579 FRRouting#9 0x562303768a1d in nb_transaction_process lib/northbound.c:1710 FRRouting#10 0x56230376904a in nb_candidate_commit_apply lib/northbound.c:1104 FRRouting#11 0x5623037692ba in nb_candidate_commit lib/northbound.c:1137 FRRouting#12 0x562303769dec in nb_cli_classic_commit lib/northbound_cli.c:49 FRRouting#13 0x56230376fb79 in nb_cli_pending_commit_check lib/northbound_cli.c:88 FRRouting#14 0x5623036c5bcb in cmd_execute_command_real lib/command.c:991 FRRouting#15 0x5623036c5f1b in cmd_execute_command lib/command.c:1053 FRRouting#16 0x5623036c6392 in cmd_execute lib/command.c:1221 FRRouting#17 0x5623037e75da in vty_command lib/vty.c:591 FRRouting#18 0x5623037e7a74 in vty_execute lib/vty.c:1354 FRRouting#19 0x5623037f0253 in vtysh_read lib/vty.c:2362 FRRouting#20 0x5623037db4e8 in event_call lib/event.c:1995 FRRouting#21 0x562303720f97 in frr_run lib/libfrr.c:1213 FRRouting#22 0x56230368615d in main pimd/pim6_main.c:184 FRRouting#23 0x7f360461bc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Indirect leak of 48 byte(s) in 1 object(s) allocated from: #0 0x7f3605dbfd28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) FRRouting#1 0x56230373dd6b in qcalloc lib/memory.c:105 FRRouting#2 0x56230361b91d in gm_join_new pimd/pim_iface.c:1288 FRRouting#3 0x56230361b91d in pim_if_gm_join_add pimd/pim_iface.c:1326 FRRouting#4 0x562303642247 in lib_interface_gmp_address_family_static_group_create pimd/pim_nb_config.c:2868 FRRouting#5 0x562303767280 in nb_callback_create lib/northbound.c:1235 FRRouting#6 0x562303767280 in nb_callback_configuration lib/northbound.c:1579 FRRouting#7 0x562303768a1d in nb_transaction_process lib/northbound.c:1710 FRRouting#8 0x56230376904a in nb_candidate_commit_apply lib/northbound.c:1104 FRRouting#9 0x5623037692ba in nb_candidate_commit lib/northbound.c:1137 FRRouting#10 0x562303769dec in nb_cli_classic_commit lib/northbound_cli.c:49 FRRouting#11 0x56230376fb79 in nb_cli_pending_commit_check lib/northbound_cli.c:88 FRRouting#12 0x5623036c5bcb in cmd_execute_command_real lib/command.c:991 FRRouting#13 0x5623036c5f6f in cmd_execute_command lib/command.c:1072 FRRouting#14 0x5623036c6392 in cmd_execute lib/command.c:1221 FRRouting#15 0x5623037e75da in vty_command lib/vty.c:591 FRRouting#16 0x5623037e7a74 in vty_execute lib/vty.c:1354 FRRouting#17 0x5623037f0253 in vtysh_read lib/vty.c:2362 FRRouting#18 0x5623037db4e8 in event_call lib/event.c:1995 FRRouting#19 0x562303720f97 in frr_run lib/libfrr.c:1213 FRRouting#20 0x56230368615d in main pimd/pim6_main.c:184 FRRouting#21 0x7f360461bc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) Indirect leak of 24 byte(s) in 1 object(s) allocated from: #0 0x7f3605dbfd28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28) FRRouting#1 0x56230373dd6b in qcalloc lib/memory.c:105 FRRouting#2 0x562303721651 in listnode_new lib/linklist.c:71 FRRouting#3 0x56230372182b in listnode_add lib/linklist.c:92 FRRouting#4 0x56230361ba9a in gm_join_new pimd/pim_iface.c:1295 FRRouting#5 0x56230361ba9a in pim_if_gm_join_add pimd/pim_iface.c:1326 FRRouting#6 0x562303642247 in lib_interface_gmp_address_family_static_group_create pimd/pim_nb_config.c:2868 FRRouting#7 0x562303767280 in nb_callback_create lib/northbound.c:1235 FRRouting#8 0x562303767280 in nb_callback_configuration lib/northbound.c:1579 FRRouting#9 0x562303768a1d in nb_transaction_process lib/northbound.c:1710 FRRouting#10 0x56230376904a in nb_candidate_commit_apply lib/northbound.c:1104 FRRouting#11 0x5623037692ba in nb_candidate_commit lib/northbound.c:1137 FRRouting#12 0x562303769dec in nb_cli_classic_commit lib/northbound_cli.c:49 FRRouting#13 0x56230376fb79 in nb_cli_pending_commit_check lib/northbound_cli.c:88 FRRouting#14 0x5623036c5bcb in cmd_execute_command_real lib/command.c:991 FRRouting#15 0x5623036c5f6f in cmd_execute_command lib/command.c:1072 FRRouting#16 0x5623036c6392 in cmd_execute lib/command.c:1221 FRRouting#17 0x5623037e75da in vty_command lib/vty.c:591 FRRouting#18 0x5623037e7a74 in vty_execute lib/vty.c:1354 FRRouting#19 0x5623037f0253 in vtysh_read lib/vty.c:2362 FRRouting#20 0x5623037db4e8 in event_call lib/event.c:1995 FRRouting#21 0x562303720f97 in frr_run lib/libfrr.c:1213 FRRouting#22 0x56230368615d in main pimd/pim6_main.c:184 FRRouting#23 0x7f360461bc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) SUMMARY: AddressSanitizer: 400 byte(s) leaked in 11 allocation(s). *********************************************************************************** ``` Signed-off-by: Keelan Cannoo <keelan.cannoo@icloud.com>

When 'no rpki' is requested and the rtrlib RPKI object was freed, bgpd is crashing. RPKI is configured in VRF red. > ip l set red down > ip l del red > printf 'conf\n vrf red\n no rpki' | vtysh > Core was generated by `/usr/bin/bgpd -A 127.0.0.1 -M snmp -M rpki -M bmp'. > Program terminated with signal SIGSEGV, Segmentation fault. > #0 __pthread_kill_implementation (no_tid=0, signo=11, threadid=140411103615424) at ./nptl/pthread_kill.c:44 > 44 ./nptl/pthread_kill.c: No such file or directory. > [Current thread is 1 (Thread 0x7fb401f419c0 (LWP 190226))] > (gdb) bt > #0 __pthread_kill_implementation (no_tid=0, signo=11, threadid=140411103615424) at ./nptl/pthread_kill.c:44 > #1 __pthread_kill_internal (signo=11, threadid=140411103615424) at ./nptl/pthread_kill.c:78 > #2 __GI___pthread_kill (threadid=140411103615424, signo=signo@entry=11) at ./nptl/pthread_kill.c:89 > #3 0x00007fb4021ad476 in __GI_raise (sig=11) at ../sysdeps/posix/raise.c:26 > #4 0x00007fb4025ce22b in core_handler (signo=11, siginfo=0x7fff831b2d70, context=0x7fff831b2c40) at lib/sigevent.c:248 > #5 <signal handler called> > #6 rtr_mgr_remove_group (config=0x55fe8789f750, preference=11) at /build/make-pkg/output/source/DIST_RTRLIB/rtrlib/rtrlib/rtr_mgr.c:607 > #7 0x00007fb40145f518 in rpki_delete_all_cache_nodes (rpki_vrf=0x55fe8789f4f0) at bgpd/bgp_rpki.c:442 > #8 0x00007fb401463098 in no_rpki_magic (self=0x7fb40146bba0 <no_rpki_cmd>, vty=0x55fe877f5130, argc=2, argv=0x55fe877fccd0) at bgpd/bgp_rpki.c:1732 > #9 0x00007fb40145c09a in no_rpki (self=0x7fb40146bba0 <no_rpki_cmd>, vty=0x55fe877f5130, argc=2, argv=0x55fe877fccd0) at ./bgpd/bgp_rpki_clippy.c:37 > #10 0x00007fb402527abc in cmd_execute_command_real (vline=0x55fe877fd150, vty=0x55fe877f5130, cmd=0x0, up_level=0) at lib/command.c:984 > #11 0x00007fb402527c35 in cmd_execute_command (vline=0x55fe877fd150, vty=0x55fe877f5130, cmd=0x0, vtysh=0) at lib/command.c:1043 > #12 0x00007fb4025281e5 in cmd_execute (vty=0x55fe877f5130, cmd=0x55fe877fb8c0 "no rpki\n", matched=0x0, vtysh=0) at lib/command.c:1209 > #13 0x00007fb4025f0aed in vty_command (vty=0x55fe877f5130, buf=0x55fe877fb8c0 "no rpki\n") at lib/vty.c:615 > #14 0x00007fb4025f2a11 in vty_execute (vty=0x55fe877f5130) at lib/vty.c:1378 > #15 0x00007fb4025f513d in vtysh_read (thread=0x7fff831b5fa0) at lib/vty.c:2373 > #16 0x00007fb4025e9611 in event_call (thread=0x7fff831b5fa0) at lib/event.c:2011 > #17 0x00007fb402566976 in frr_run (master=0x55fe871a14a0) at lib/libfrr.c:1212 > #18 0x000055fe857829fa in main (argc=9, argv=0x7fff831b6218) at bgpd/bgp_main.c:549 Fixes: 8156765 ("bgpd: Add `no rpki` command") Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com> (cherry picked from commit 4e053d6) There is also an issue when doing "rpki reset" and then "no rpki". Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com> (cherry picked from commit c4e4e6c)

Fix crash when flex-algo is configured and mpls-te is disabled. > interface eth0 > ip router isis 1 > ! > router isis 1 > flex-algo 129 > dataplane sr-mpls > advertise-definition > #0 __pthread_kill_implementation (no_tid=0, signo=11, threadid=140486233631168) at ./nptl/pthread_kill.c:44 > #1 __pthread_kill_internal (signo=11, threadid=140486233631168) at ./nptl/pthread_kill.c:78 > #2 __GI___pthread_kill (threadid=140486233631168, signo=signo@entry=11) at ./nptl/pthread_kill.c:89 > #3 0x00007fc5802e9476 in __GI_raise (sig=11) at ../sysdeps/posix/raise.c:26 > FRRouting#4 0x00007fc58076021f in core_handler (signo=11, siginfo=0x7ffd38d42470, context=0x7ffd38d42340) at lib/sigevent.c:248 > FRRouting#5 <signal handler called> > FRRouting#6 0x000055c527f798c9 in isis_link_params_update_asla (circuit=0x55c52aaed3c0, ifp=0x55c52a1044e0) at isisd/isis_te.c:176 > FRRouting#7 0x000055c527fb29da in isis_instance_flex_algo_create (args=0x7ffd38d43120) at isisd/isis_nb_config.c:2875 > FRRouting#8 0x00007fc58072655b in nb_callback_create (context=0x55c52ab1d2f0, nb_node=0x55c529f72950, event=NB_EV_APPLY, dnode=0x55c52ab06230, resource=0x55c52ab189f8, errmsg=0x7ffd38d43750 "", > errmsg_len=8192) at lib/northbound.c:1262 > FRRouting#9 0x00007fc580727625 in nb_callback_configuration (context=0x55c52ab1d2f0, event=NB_EV_APPLY, change=0x55c52ab189c0, errmsg=0x7ffd38d43750 "", errmsg_len=8192) at lib/northbound.c:1662 > FRRouting#10 0x00007fc580727c39 in nb_transaction_process (event=NB_EV_APPLY, transaction=0x55c52ab1d2f0, errmsg=0x7ffd38d43750 "", errmsg_len=8192) at lib/northbound.c:1794 > FRRouting#11 0x00007fc580725f77 in nb_candidate_commit_apply (transaction=0x55c52ab1d2f0, save_transaction=true, transaction_id=0x0, errmsg=0x7ffd38d43750 "", errmsg_len=8192) > at lib/northbound.c:1131 > FRRouting#12 0x00007fc5807260d1 in nb_candidate_commit (context=..., candidate=0x55c529f0a730, save_transaction=true, comment=0x0, transaction_id=0x0, errmsg=0x7ffd38d43750 "", errmsg_len=8192) > at lib/northbound.c:1164 > FRRouting#13 0x00007fc58072d220 in nb_cli_classic_commit (vty=0x55c52a0fc6b0) at lib/northbound_cli.c:51 > FRRouting#14 0x00007fc58072d839 in nb_cli_apply_changes_internal (vty=0x55c52a0fc6b0, > xpath_base=0x7ffd38d477f0 "/frr-isisd:isis/instance[area-tag='1'][vrf='default']/flex-algos/flex-algo[flex-algo='129']", clear_pending=false) at lib/northbound_cli.c:178 > FRRouting#15 0x00007fc58072dbcf in nb_cli_apply_changes (vty=0x55c52a0fc6b0, xpath_base_fmt=0x55c528014de0 "./flex-algos/flex-algo[flex-algo='%ld']") at lib/northbound_cli.c:234 > FRRouting#16 0x000055c527fd3403 in flex_algo_magic (self=0x55c52804f1a0 <flex_algo_cmd>, vty=0x55c52a0fc6b0, argc=2, argv=0x55c52ab00ec0, algorithm=129, algorithm_str=0x55c52ab120d0 "129") > at isisd/isis_cli.c:3752 > FRRouting#17 0x000055c527fc97cb in flex_algo (self=0x55c52804f1a0 <flex_algo_cmd>, vty=0x55c52a0fc6b0, argc=2, argv=0x55c52ab00ec0) at ./isisd/isis_cli_clippy.c:6445 > FRRouting#18 0x00007fc5806b9abc in cmd_execute_command_real (vline=0x55c52aaf78f0, vty=0x55c52a0fc6b0, cmd=0x0, up_level=0) at lib/command.c:984 > FRRouting#19 0x00007fc5806b9c35 in cmd_execute_command (vline=0x55c52aaf78f0, vty=0x55c52a0fc6b0, cmd=0x0, vtysh=0) at lib/command.c:1043 > FRRouting#20 0x00007fc5806ba1e5 in cmd_execute (vty=0x55c52a0fc6b0, cmd=0x55c52aae6bd0 "flex-algo 129\n", matched=0x0, vtysh=0) at lib/command.c:1209 > FRRouting#21 0x00007fc580782ae1 in vty_command (vty=0x55c52a0fc6b0, buf=0x55c52aae6bd0 "flex-algo 129\n") at lib/vty.c:615 > FRRouting#22 0x00007fc580784a05 in vty_execute (vty=0x55c52a0fc6b0) at lib/vty.c:1378 > FRRouting#23 0x00007fc580787131 in vtysh_read (thread=0x7ffd38d4ab10) at lib/vty.c:2373 > FRRouting#24 0x00007fc58077b605 in event_call (thread=0x7ffd38d4ab10) at lib/event.c:2011 > FRRouting#25 0x00007fc5806f8976 in frr_run (master=0x55c529df9b30) at lib/libfrr.c:1212 > FRRouting#26 0x000055c527f301bc in main (argc=5, argv=0x7ffd38d4ad58, envp=0x7ffd38d4ad88) at isisd/isis_main.c:350 > (gdb) f 6 > FRRouting#6 0x000055c527f798c9 in isis_link_params_update_asla (circuit=0x55c52aaed3c0, ifp=0x55c52a1044e0) at isisd/isis_te.c:176 > 176 list_delete_all_node(ext->aslas); > (gdb) p ext > $1 = (struct isis_ext_subtlvs *) 0x0 Fixes: ae27101 ("isisd: fix building asla at first flex-algo config") Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com>

Fix crash when flex-algo is configured and mpls-te is disabled. > interface eth0 > ip router isis 1 > ! > router isis 1 > flex-algo 129 > dataplane sr-mpls > advertise-definition > #0 __pthread_kill_implementation (no_tid=0, signo=11, threadid=140486233631168) at ./nptl/pthread_kill.c:44 > #1 __pthread_kill_internal (signo=11, threadid=140486233631168) at ./nptl/pthread_kill.c:78 > #2 __GI___pthread_kill (threadid=140486233631168, signo=signo@entry=11) at ./nptl/pthread_kill.c:89 > #3 0x00007fc5802e9476 in __GI_raise (sig=11) at ../sysdeps/posix/raise.c:26 > #4 0x00007fc58076021f in core_handler (signo=11, siginfo=0x7ffd38d42470, context=0x7ffd38d42340) at lib/sigevent.c:248 > #5 <signal handler called> > #6 0x000055c527f798c9 in isis_link_params_update_asla (circuit=0x55c52aaed3c0, ifp=0x55c52a1044e0) at isisd/isis_te.c:176 > #7 0x000055c527fb29da in isis_instance_flex_algo_create (args=0x7ffd38d43120) at isisd/isis_nb_config.c:2875 > #8 0x00007fc58072655b in nb_callback_create (context=0x55c52ab1d2f0, nb_node=0x55c529f72950, event=NB_EV_APPLY, dnode=0x55c52ab06230, resource=0x55c52ab189f8, errmsg=0x7ffd38d43750 "", > errmsg_len=8192) at lib/northbound.c:1262 > #9 0x00007fc580727625 in nb_callback_configuration (context=0x55c52ab1d2f0, event=NB_EV_APPLY, change=0x55c52ab189c0, errmsg=0x7ffd38d43750 "", errmsg_len=8192) at lib/northbound.c:1662 > #10 0x00007fc580727c39 in nb_transaction_process (event=NB_EV_APPLY, transaction=0x55c52ab1d2f0, errmsg=0x7ffd38d43750 "", errmsg_len=8192) at lib/northbound.c:1794 > #11 0x00007fc580725f77 in nb_candidate_commit_apply (transaction=0x55c52ab1d2f0, save_transaction=true, transaction_id=0x0, errmsg=0x7ffd38d43750 "", errmsg_len=8192) > at lib/northbound.c:1131 > #12 0x00007fc5807260d1 in nb_candidate_commit (context=..., candidate=0x55c529f0a730, save_transaction=true, comment=0x0, transaction_id=0x0, errmsg=0x7ffd38d43750 "", errmsg_len=8192) > at lib/northbound.c:1164 > #13 0x00007fc58072d220 in nb_cli_classic_commit (vty=0x55c52a0fc6b0) at lib/northbound_cli.c:51 > #14 0x00007fc58072d839 in nb_cli_apply_changes_internal (vty=0x55c52a0fc6b0, > xpath_base=0x7ffd38d477f0 "/frr-isisd:isis/instance[area-tag='1'][vrf='default']/flex-algos/flex-algo[flex-algo='129']", clear_pending=false) at lib/northbound_cli.c:178 > #15 0x00007fc58072dbcf in nb_cli_apply_changes (vty=0x55c52a0fc6b0, xpath_base_fmt=0x55c528014de0 "./flex-algos/flex-algo[flex-algo='%ld']") at lib/northbound_cli.c:234 > #16 0x000055c527fd3403 in flex_algo_magic (self=0x55c52804f1a0 <flex_algo_cmd>, vty=0x55c52a0fc6b0, argc=2, argv=0x55c52ab00ec0, algorithm=129, algorithm_str=0x55c52ab120d0 "129") > at isisd/isis_cli.c:3752 > #17 0x000055c527fc97cb in flex_algo (self=0x55c52804f1a0 <flex_algo_cmd>, vty=0x55c52a0fc6b0, argc=2, argv=0x55c52ab00ec0) at ./isisd/isis_cli_clippy.c:6445 > #18 0x00007fc5806b9abc in cmd_execute_command_real (vline=0x55c52aaf78f0, vty=0x55c52a0fc6b0, cmd=0x0, up_level=0) at lib/command.c:984 > #19 0x00007fc5806b9c35 in cmd_execute_command (vline=0x55c52aaf78f0, vty=0x55c52a0fc6b0, cmd=0x0, vtysh=0) at lib/command.c:1043 > #20 0x00007fc5806ba1e5 in cmd_execute (vty=0x55c52a0fc6b0, cmd=0x55c52aae6bd0 "flex-algo 129\n", matched=0x0, vtysh=0) at lib/command.c:1209 > #21 0x00007fc580782ae1 in vty_command (vty=0x55c52a0fc6b0, buf=0x55c52aae6bd0 "flex-algo 129\n") at lib/vty.c:615 > #22 0x00007fc580784a05 in vty_execute (vty=0x55c52a0fc6b0) at lib/vty.c:1378 > #23 0x00007fc580787131 in vtysh_read (thread=0x7ffd38d4ab10) at lib/vty.c:2373 > #24 0x00007fc58077b605 in event_call (thread=0x7ffd38d4ab10) at lib/event.c:2011 > #25 0x00007fc5806f8976 in frr_run (master=0x55c529df9b30) at lib/libfrr.c:1212 > #26 0x000055c527f301bc in main (argc=5, argv=0x7ffd38d4ad58, envp=0x7ffd38d4ad88) at isisd/isis_main.c:350 > (gdb) f 6 > #6 0x000055c527f798c9 in isis_link_params_update_asla (circuit=0x55c52aaed3c0, ifp=0x55c52a1044e0) at isisd/isis_te.c:176 > 176 list_delete_all_node(ext->aslas); > (gdb) p ext > $1 = (struct isis_ext_subtlvs *) 0x0 Fixes: ae27101 ("isisd: fix building asla at first flex-algo config") Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com> (cherry picked from commit cd81d28)

The following causes a isisd crash. > # cat config > affinity-map green bit-position 0 > router isis 1 > flex-algo 129 > affinity exclude-any green > # vtysh -f config > #0 raise (sig=<optimized out>) at ../sysdeps/unix/sysv/linux/raise.c:50 > #1 0x00007f650cd32756 in core_handler (signo=6, siginfo=0x7ffc56f93070, context=0x7ffc56f92f40) at lib/sigevent.c:258 > #2 <signal handler called> > #3 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 > FRRouting#4 0x00007f650c91c537 in __GI_abort () at abort.c:79 > FRRouting#5 0x00007f650cd007c9 in nb_running_get_entry_worker (dnode=0x0, xpath=0x0, abort_if_not_found=true, rec_search=true) at lib/northbound.c:2531 > FRRouting#6 0x00007f650cd007f9 in nb_running_get_entry (dnode=0x55d9ad406e00, xpath=0x0, abort_if_not_found=true) at lib/northbound.c:2537 > FRRouting#7 0x000055d9ab302248 in isis_instance_flex_algo_affinity_set (args=0x7ffc56f947a0, type=2) at isisd/isis_nb_config.c:2998 > FRRouting#8 0x000055d9ab3027c0 in isis_instance_flex_algo_affinity_exclude_any_create (args=0x7ffc56f947a0) at isisd/isis_nb_config.c:3155 > FRRouting#9 0x00007f650ccfe284 in nb_callback_create (context=0x7ffc56f94d20, nb_node=0x55d9ad28b540, event=NB_EV_VALIDATE, dnode=0x55d9ad406e00, resource=0x0, errmsg=0x7ffc56f94de0 "", > errmsg_len=8192) at lib/northbound.c:1487 > FRRouting#10 0x00007f650ccff067 in nb_callback_configuration (context=0x7ffc56f94d20, event=NB_EV_VALIDATE, change=0x55d9ad406d40, errmsg=0x7ffc56f94de0 "", errmsg_len=8192) at lib/northbound.c:1884 > FRRouting#11 0x00007f650ccfda31 in nb_candidate_validate_code (context=0x7ffc56f94d20, candidate=0x55d9ad20d710, changes=0x7ffc56f94d38, errmsg=0x7ffc56f94de0 "", errmsg_len=8192) > at lib/northbound.c:1246 > FRRouting#12 0x00007f650ccfdc67 in nb_candidate_commit_prepare (context=..., candidate=0x55d9ad20d710, comment=0x0, transaction=0x7ffc56f94da0, skip_validate=false, ignore_zero_change=false, > errmsg=0x7ffc56f94de0 "", errmsg_len=8192) at lib/northbound.c:1317 > FRRouting#13 0x00007f650ccfdec4 in nb_candidate_commit (context=..., candidate=0x55d9ad20d710, save_transaction=true, comment=0x0, transaction_id=0x0, errmsg=0x7ffc56f94de0 "", errmsg_len=8192) > at lib/northbound.c:1381 > FRRouting#14 0x00007f650cd045ba in nb_cli_classic_commit (vty=0x55d9ad3f7490) at lib/northbound_cli.c:57 > FRRouting#15 0x00007f650cd04749 in nb_cli_pending_commit_check (vty=0x55d9ad3f7490) at lib/northbound_cli.c:96 > FRRouting#16 0x00007f650cc94340 in cmd_execute_command_real (vline=0x55d9ad3eea10, vty=0x55d9ad3f7490, cmd=0x0, up_level=0) at lib/command.c:1000 > FRRouting#17 0x00007f650cc94599 in cmd_execute_command (vline=0x55d9ad3eea10, vty=0x55d9ad3f7490, cmd=0x0, vtysh=0) at lib/command.c:1080 > FRRouting#18 0x00007f650cc94a0c in cmd_execute (vty=0x55d9ad3f7490, cmd=0x55d9ad401d30 "XFRR_end_configuration", matched=0x0, vtysh=0) at lib/command.c:1228 > FRRouting#19 0x00007f650cd523a4 in vty_command (vty=0x55d9ad3f7490, buf=0x55d9ad401d30 "XFRR_end_configuration") at lib/vty.c:625 > FRRouting#20 0x00007f650cd5413d in vty_execute (vty=0x55d9ad3f7490) at lib/vty.c:1388 > FRRouting#21 0x00007f650cd56353 in vtysh_read (thread=0x7ffc56f99370) at lib/vty.c:2400 > FRRouting#22 0x00007f650cd4b6fd in event_call (thread=0x7ffc56f99370) at lib/event.c:1996 > FRRouting#23 0x00007f650ccd1365 in frr_run (master=0x55d9ad103cf0) at lib/libfrr.c:1231 > FRRouting#24 0x000055d9ab29036e in main (argc=2, argv=0x7ffc56f99598, envp=0x7ffc56f995b0) at isisd/isis_main.c:354 Configuring the same in vtysh configure interactive mode works properly. When using "vtysh -f", the northbound compatible configuration is committed together whereas, in interactive mode, it committed line by line. In the first situation, in validation state nb_running_get_entry() fails because the area not yet in running. Do not use nb_running_get_entry() northbound validation state. Fixes: 893882e ("isisd: add isis flex-algo configuration backend") Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com>

Fix a crash when modifying a route-map with set as-path exclude without as-path-access-list: > router(config)# route-map routemaptest deny 1 > router(config-route-map)# set as-path exclude 33 34 35 > router(config-route-map)# set as-path exclude as-path-access-list test > #0 raise (sig=<optimized out>) at ../sysdeps/unix/sysv/linux/raise.c:50 > #1 0x00007fb3959327de in core_handler (signo=11, siginfo=0x7ffd122da530, context=0x7ffd122da400) at lib/sigevent.c:258 > #2 <signal handler called> > #3 0x000055ab2762a1bd in as_list_list_del (h=0x55ab27897680 <as_exclude_list_orphan>, item=0x55ab28204e20) at ./bgpd/bgp_aspath.h:77 > FRRouting#4 0x000055ab2762d1a8 in as_exclude_remove_orphan (ase=0x55ab28204e20) at bgpd/bgp_aspath.c:1574 > FRRouting#5 0x000055ab27550538 in route_aspath_exclude_free (rule=0x55ab28204e20) at bgpd/bgp_routemap.c:2366 > FRRouting#6 0x00007fb39591f00c in route_map_rule_delete (list=0x55ab28203498, rule=0x55ab28204170) at lib/routemap.c:1357 > FRRouting#7 0x00007fb39591f87c in route_map_add_set (index=0x55ab28203460, set_name=0x55ab276ad2aa "as-path exclude", set_arg=0x55ab281e4f70 "as-path-access-list test") at lib/routemap.c:1674 > FRRouting#8 0x00007fb39591d3f3 in generic_set_add (index=0x55ab28203460, command=0x55ab276ad2aa "as-path exclude", arg=0x55ab281e4f70 "as-path-access-list test", errmsg=0x7ffd122db870 "", > errmsg_len=8192) at lib/routemap.c:533 > FRRouting#9 0x000055ab2755e78e in lib_route_map_entry_set_action_rmap_set_action_exclude_as_path_modify (args=0x7ffd122db290) at bgpd/bgp_routemap_nb_config.c:2427 > FRRouting#10 0x00007fb3958fe417 in nb_callback_modify (context=0x55ab28205aa0, nb_node=0x55ab27cb31e0, event=NB_EV_APPLY, dnode=0x55ab28202690, resource=0x55ab27c32148, errmsg=0x7ffd122db870 "", > errmsg_len=8192) at lib/northbound.c:1538 > FRRouting#11 0x00007fb3958ff0ab in nb_callback_configuration (context=0x55ab28205aa0, event=NB_EV_APPLY, change=0x55ab27c32110, errmsg=0x7ffd122db870 "", errmsg_len=8192) at lib/northbound.c:1888 > FRRouting#12 0x00007fb3958ff5e4 in nb_transaction_process (event=NB_EV_APPLY, transaction=0x55ab28205aa0, errmsg=0x7ffd122db870 "", errmsg_len=8192) at lib/northbound.c:2016 > FRRouting#13 0x00007fb3958fddba in nb_candidate_commit_apply (transaction=0x55ab28205aa0, save_transaction=true, transaction_id=0x0, errmsg=0x7ffd122db870 "", errmsg_len=8192) > at lib/northbound.c:1356 > FRRouting#14 0x00007fb3958fdef0 in nb_candidate_commit (context=..., candidate=0x55ab27c2c9a0, save_transaction=true, comment=0x0, transaction_id=0x0, errmsg=0x7ffd122db870 "", errmsg_len=8192) > at lib/northbound.c:1389 > FRRouting#15 0x00007fb3959045ba in nb_cli_classic_commit (vty=0x55ab281f6680) at lib/northbound_cli.c:57 > FRRouting#16 0x00007fb395904b5a in nb_cli_apply_changes_internal (vty=0x55ab281f6680, xpath_base=0x7ffd122dfd10 "/frr-route-map:lib/route-map[name='routemaptest']/entry[sequence='1']", > clear_pending=false) at lib/northbound_cli.c:184 > FRRouting#17 0x00007fb395904ebf in nb_cli_apply_changes (vty=0x55ab281f6680, xpath_base_fmt=0x0) at lib/northbound_cli.c:240 > --Type <RET> for more, q to quit, c to continue without paging-- > FRRouting#18 0x000055ab27557d2e in set_aspath_exclude_access_list_magic (self=0x55ab2775c300 <set_aspath_exclude_access_list_cmd>, vty=0x55ab281f6680, argc=5, argv=0x55ab28204c80, > as_path_filter_name=0x55ab28202040 "test") at bgpd/bgp_routemap.c:6397 > FRRouting#19 0x000055ab2754bdea in set_aspath_exclude_access_list (self=0x55ab2775c300 <set_aspath_exclude_access_list_cmd>, vty=0x55ab281f6680, argc=5, argv=0x55ab28204c80) > at ./bgpd/bgp_routemap_clippy.c:856 > FRRouting#20 0x00007fb39589435d in cmd_execute_command_real (vline=0x55ab281e61f0, vty=0x55ab281f6680, cmd=0x0, up_level=0) at lib/command.c:1003 > FRRouting#21 0x00007fb3958944be in cmd_execute_command (vline=0x55ab281e61f0, vty=0x55ab281f6680, cmd=0x0, vtysh=0) at lib/command.c:1062 > FRRouting#22 0x00007fb395894a0c in cmd_execute (vty=0x55ab281f6680, cmd=0x55ab28200f20 "set as-path exclude as-path-access-list test", matched=0x0, vtysh=0) at lib/command.c:1228 > FRRouting#23 0x00007fb39595242c in vty_command (vty=0x55ab281f6680, buf=0x55ab28200f20 "set as-path exclude as-path-access-list test") at lib/vty.c:625 > FRRouting#24 0x00007fb3959541c5 in vty_execute (vty=0x55ab281f6680) at lib/vty.c:1388 > FRRouting#25 0x00007fb3959563db in vtysh_read (thread=0x7ffd122e2bb0) at lib/vty.c:2400 > FRRouting#26 0x00007fb39594b785 in event_call (thread=0x7ffd122e2bb0) at lib/event.c:1996 > FRRouting#27 0x00007fb3958d1365 in frr_run (master=0x55ab27b56d70) at lib/libfrr.c:1231 > FRRouting#28 0x000055ab2747f1cc in main (argc=3, argv=0x7ffd122e2e08) at bgpd/bgp_main.c:555 Fixes: 094dcc3 ("bgpd: fix "bgp as-pah access-list" with "set aspath exclude" set/unset issues") Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com>

Fix a crash when modifying a route-map with set as-path exclude without as-path-access-list: > router(config)# route-map routemaptest deny 1 > router(config-route-map)# set as-path exclude 33 34 35 > router(config-route-map)# set as-path exclude as-path-access-list test > #0 raise (sig=<optimized out>) at ../sysdeps/unix/sysv/linux/raise.c:50 > #1 0x00007fb3959327de in core_handler (signo=11, siginfo=0x7ffd122da530, context=0x7ffd122da400) at lib/sigevent.c:258 > #2 <signal handler called> > #3 0x000055ab2762a1bd in as_list_list_del (h=0x55ab27897680 <as_exclude_list_orphan>, item=0x55ab28204e20) at ./bgpd/bgp_aspath.h:77 > #4 0x000055ab2762d1a8 in as_exclude_remove_orphan (ase=0x55ab28204e20) at bgpd/bgp_aspath.c:1574 > #5 0x000055ab27550538 in route_aspath_exclude_free (rule=0x55ab28204e20) at bgpd/bgp_routemap.c:2366 > #6 0x00007fb39591f00c in route_map_rule_delete (list=0x55ab28203498, rule=0x55ab28204170) at lib/routemap.c:1357 > #7 0x00007fb39591f87c in route_map_add_set (index=0x55ab28203460, set_name=0x55ab276ad2aa "as-path exclude", set_arg=0x55ab281e4f70 "as-path-access-list test") at lib/routemap.c:1674 > #8 0x00007fb39591d3f3 in generic_set_add (index=0x55ab28203460, command=0x55ab276ad2aa "as-path exclude", arg=0x55ab281e4f70 "as-path-access-list test", errmsg=0x7ffd122db870 "", > errmsg_len=8192) at lib/routemap.c:533 > #9 0x000055ab2755e78e in lib_route_map_entry_set_action_rmap_set_action_exclude_as_path_modify (args=0x7ffd122db290) at bgpd/bgp_routemap_nb_config.c:2427 > #10 0x00007fb3958fe417 in nb_callback_modify (context=0x55ab28205aa0, nb_node=0x55ab27cb31e0, event=NB_EV_APPLY, dnode=0x55ab28202690, resource=0x55ab27c32148, errmsg=0x7ffd122db870 "", > errmsg_len=8192) at lib/northbound.c:1538 > #11 0x00007fb3958ff0ab in nb_callback_configuration (context=0x55ab28205aa0, event=NB_EV_APPLY, change=0x55ab27c32110, errmsg=0x7ffd122db870 "", errmsg_len=8192) at lib/northbound.c:1888 > #12 0x00007fb3958ff5e4 in nb_transaction_process (event=NB_EV_APPLY, transaction=0x55ab28205aa0, errmsg=0x7ffd122db870 "", errmsg_len=8192) at lib/northbound.c:2016 > #13 0x00007fb3958fddba in nb_candidate_commit_apply (transaction=0x55ab28205aa0, save_transaction=true, transaction_id=0x0, errmsg=0x7ffd122db870 "", errmsg_len=8192) > at lib/northbound.c:1356 > #14 0x00007fb3958fdef0 in nb_candidate_commit (context=..., candidate=0x55ab27c2c9a0, save_transaction=true, comment=0x0, transaction_id=0x0, errmsg=0x7ffd122db870 "", errmsg_len=8192) > at lib/northbound.c:1389 > #15 0x00007fb3959045ba in nb_cli_classic_commit (vty=0x55ab281f6680) at lib/northbound_cli.c:57 > #16 0x00007fb395904b5a in nb_cli_apply_changes_internal (vty=0x55ab281f6680, xpath_base=0x7ffd122dfd10 "/frr-route-map:lib/route-map[name='routemaptest']/entry[sequence='1']", > clear_pending=false) at lib/northbound_cli.c:184 > #17 0x00007fb395904ebf in nb_cli_apply_changes (vty=0x55ab281f6680, xpath_base_fmt=0x0) at lib/northbound_cli.c:240 > --Type <RET> for more, q to quit, c to continue without paging-- > #18 0x000055ab27557d2e in set_aspath_exclude_access_list_magic (self=0x55ab2775c300 <set_aspath_exclude_access_list_cmd>, vty=0x55ab281f6680, argc=5, argv=0x55ab28204c80, > as_path_filter_name=0x55ab28202040 "test") at bgpd/bgp_routemap.c:6397 > #19 0x000055ab2754bdea in set_aspath_exclude_access_list (self=0x55ab2775c300 <set_aspath_exclude_access_list_cmd>, vty=0x55ab281f6680, argc=5, argv=0x55ab28204c80) > at ./bgpd/bgp_routemap_clippy.c:856 > #20 0x00007fb39589435d in cmd_execute_command_real (vline=0x55ab281e61f0, vty=0x55ab281f6680, cmd=0x0, up_level=0) at lib/command.c:1003 > #21 0x00007fb3958944be in cmd_execute_command (vline=0x55ab281e61f0, vty=0x55ab281f6680, cmd=0x0, vtysh=0) at lib/command.c:1062 > #22 0x00007fb395894a0c in cmd_execute (vty=0x55ab281f6680, cmd=0x55ab28200f20 "set as-path exclude as-path-access-list test", matched=0x0, vtysh=0) at lib/command.c:1228 > #23 0x00007fb39595242c in vty_command (vty=0x55ab281f6680, buf=0x55ab28200f20 "set as-path exclude as-path-access-list test") at lib/vty.c:625 > #24 0x00007fb3959541c5 in vty_execute (vty=0x55ab281f6680) at lib/vty.c:1388 > #25 0x00007fb3959563db in vtysh_read (thread=0x7ffd122e2bb0) at lib/vty.c:2400 > #26 0x00007fb39594b785 in event_call (thread=0x7ffd122e2bb0) at lib/event.c:1996 > #27 0x00007fb3958d1365 in frr_run (master=0x55ab27b56d70) at lib/libfrr.c:1231 > #28 0x000055ab2747f1cc in main (argc=3, argv=0x7ffd122e2e08) at bgpd/bgp_main.c:555 Fixes: 094dcc3 ("bgpd: fix "bgp as-pah access-list" with "set aspath exclude" set/unset issues") Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com>

Level 2 adjacency list is not supposed to be always set. > #0 raise (sig=<optimized out>) at ../sysdeps/unix/sysv/linux/raise.c:50 > #1 0x00007f9f0353274f in core_handler (signo=6, siginfo=0x7ffe95260770, context=0x7ffe95260640) at lib/sigevent.c:258 > #2 <signal handler called> > #3 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 > FRRouting#4 0x00007f9f0324e537 in __GI_abort () at abort.c:79 > FRRouting#5 0x00007f9f035744ea in _zlog_assert_failed (xref=0x7f9f0362c6c0 <_xref.15>, extra=0x0) at lib/zlog.c:789 > FRRouting#6 0x00007f9f034d25ee in listnode_head (list=0x0) at lib/linklist.c:316 > FRRouting#7 0x000055cd65aaa481 in lib_interface_state_isis_adjacencies_adjacency_get_next (args=0x7ffe95261730) at isisd/isis_nb_state.c:101 > FRRouting#8 0x00007f9f034feadd in nb_callback_get_next (nb_node=0x55cd673c0190, parent_list_entry=0x55cd67570d30, list_entry=0x55cd6758f8a0) at lib/northbound.c:1748 > FRRouting#9 0x00007f9f0350bf07 in __walk (ys=0x55cd675782b0, is_resume=false) at lib/northbound_oper.c:1264 > FRRouting#10 0x00007f9f0350deaa in nb_op_walk_start (ys=0x55cd675782b0) at lib/northbound_oper.c:1741 > FRRouting#11 0x00007f9f0350e079 in nb_oper_iterate_legacy (xpath=0x55cd67595c60 "/frr-interface:lib", translator=0x0, flags=0, cb=0x0, cb_arg=0x0, tree=0x7ffe952621b0) at lib/northbound_oper.c:1803 > FRRouting#12 0x00007f9f03507661 in show_yang_operational_data_magic (self=0x7f9f03634a80 <show_yang_operational_data_cmd>, vty=0x55cd675a61f0, argc=4, argv=0x55cd6758eab0, > xpath=0x55cd67595c60 "/frr-interface:lib", json=0x0, xml=0x0, translator_family=0x0, with_config=0x0) at lib/northbound_cli.c:1576 > FRRouting#13 0x00007f9f035037f0 in show_yang_operational_data (self=0x7f9f03634a80 <show_yang_operational_data_cmd>, vty=0x55cd675a61f0, argc=4, argv=0x55cd6758eab0) > at ./lib/northbound_cli_clippy.c:906 > FRRouting#14 0x00007f9f0349435d in cmd_execute_command_real (vline=0x55cd6758e490, vty=0x55cd675a61f0, cmd=0x0, up_level=0) at lib/command.c:1003 > FRRouting#15 0x00007f9f03494477 in cmd_execute_command (vline=0x55cd67585340, vty=0x55cd675a61f0, cmd=0x0, vtysh=0) at lib/command.c:1053 > FRRouting#16 0x00007f9f03494a0c in cmd_execute (vty=0x55cd675a61f0, cmd=0x55cd67579040 "do show yang operational-data /frr-interface:lib", matched=0x0, vtysh=0) at lib/command.c:1228 > FRRouting#17 0x00007f9f0355239d in vty_command (vty=0x55cd675a61f0, buf=0x55cd67579040 "do show yang operational-data /frr-interface:lib") at lib/vty.c:625 > FRRouting#18 0x00007f9f03554136 in vty_execute (vty=0x55cd675a61f0) at lib/vty.c:1388 > FRRouting#19 0x00007f9f0355634c in vtysh_read (thread=0x7ffe952647a0) at lib/vty.c:2400 > FRRouting#20 0x00007f9f0354b6f6 in event_call (thread=0x7ffe952647a0) at lib/event.c:1996 > FRRouting#21 0x00007f9f034d1365 in frr_run (master=0x55cd67204da0) at lib/libfrr.c:1231 > FRRouting#22 0x000055cd65a3236e in main (argc=7, argv=0x7ffe952649c8, envp=0x7ffe95264a08) at isisd/isis_main.c:354 Fixes: 2a1c520 ("isisd: split northbound callbacks into multiple files") Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com>

When 'no rpki' is requested and the rtrlib RPKI object was freed, bgpd is crashing. RPKI is configured in VRF red. > ip l set red down > ip l del red > printf 'conf\n vrf red\n no rpki' | vtysh > Core was generated by `/usr/bin/bgpd -A 127.0.0.1 -M snmp -M rpki -M bmp'. > Program terminated with signal SIGSEGV, Segmentation fault. > #0 __pthread_kill_implementation (no_tid=0, signo=11, threadid=140411103615424) at ./nptl/pthread_kill.c:44 > 44 ./nptl/pthread_kill.c: No such file or directory. > [Current thread is 1 (Thread 0x7fb401f419c0 (LWP 190226))] > (gdb) bt > #0 __pthread_kill_implementation (no_tid=0, signo=11, threadid=140411103615424) at ./nptl/pthread_kill.c:44 > #1 __pthread_kill_internal (signo=11, threadid=140411103615424) at ./nptl/pthread_kill.c:78 > #2 __GI___pthread_kill (threadid=140411103615424, signo=signo@entry=11) at ./nptl/pthread_kill.c:89 > #3 0x00007fb4021ad476 in __GI_raise (sig=11) at ../sysdeps/posix/raise.c:26 > #4 0x00007fb4025ce22b in core_handler (signo=11, siginfo=0x7fff831b2d70, context=0x7fff831b2c40) at lib/sigevent.c:248 > #5 <signal handler called> > #6 rtr_mgr_remove_group (config=0x55fe8789f750, preference=11) at /build/make-pkg/output/source/DIST_RTRLIB/rtrlib/rtrlib/rtr_mgr.c:607 > #7 0x00007fb40145f518 in rpki_delete_all_cache_nodes (rpki_vrf=0x55fe8789f4f0) at bgpd/bgp_rpki.c:442 > #8 0x00007fb401463098 in no_rpki_magic (self=0x7fb40146bba0 <no_rpki_cmd>, vty=0x55fe877f5130, argc=2, argv=0x55fe877fccd0) at bgpd/bgp_rpki.c:1732 > #9 0x00007fb40145c09a in no_rpki (self=0x7fb40146bba0 <no_rpki_cmd>, vty=0x55fe877f5130, argc=2, argv=0x55fe877fccd0) at ./bgpd/bgp_rpki_clippy.c:37 > #10 0x00007fb402527abc in cmd_execute_command_real (vline=0x55fe877fd150, vty=0x55fe877f5130, cmd=0x0, up_level=0) at lib/command.c:984 > #11 0x00007fb402527c35 in cmd_execute_command (vline=0x55fe877fd150, vty=0x55fe877f5130, cmd=0x0, vtysh=0) at lib/command.c:1043 > #12 0x00007fb4025281e5 in cmd_execute (vty=0x55fe877f5130, cmd=0x55fe877fb8c0 "no rpki\n", matched=0x0, vtysh=0) at lib/command.c:1209 > #13 0x00007fb4025f0aed in vty_command (vty=0x55fe877f5130, buf=0x55fe877fb8c0 "no rpki\n") at lib/vty.c:615 > #14 0x00007fb4025f2a11 in vty_execute (vty=0x55fe877f5130) at lib/vty.c:1378 > #15 0x00007fb4025f513d in vtysh_read (thread=0x7fff831b5fa0) at lib/vty.c:2373 > #16 0x00007fb4025e9611 in event_call (thread=0x7fff831b5fa0) at lib/event.c:2011 > #17 0x00007fb402566976 in frr_run (master=0x55fe871a14a0) at lib/libfrr.c:1212 > #18 0x000055fe857829fa in main (argc=9, argv=0x7fff831b6218) at bgpd/bgp_main.c:549 Fixes: 8156765 ("bgpd: Add `no rpki` command") Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com> Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>

Level 2 adjacency list is not supposed to be always set. > #0 raise (sig=<optimized out>) at ../sysdeps/unix/sysv/linux/raise.c:50 > #1 0x00007f9f0353274f in core_handler (signo=6, siginfo=0x7ffe95260770, context=0x7ffe95260640) at lib/sigevent.c:258 > #2 <signal handler called> > FRRouting#3 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 > FRRouting#4 0x00007f9f0324e537 in __GI_abort () at abort.c:79 > FRRouting#5 0x00007f9f035744ea in _zlog_assert_failed (xref=0x7f9f0362c6c0 <_xref.15>, extra=0x0) at lib/zlog.c:789 > FRRouting#6 0x00007f9f034d25ee in listnode_head (list=0x0) at lib/linklist.c:316 > FRRouting#7 0x000055cd65aaa481 in lib_interface_state_isis_adjacencies_adjacency_get_next (args=0x7ffe95261730) at isisd/isis_nb_state.c:101 > FRRouting#8 0x00007f9f034feadd in nb_callback_get_next (nb_node=0x55cd673c0190, parent_list_entry=0x55cd67570d30, list_entry=0x55cd6758f8a0) at lib/northbound.c:1748 > FRRouting#9 0x00007f9f0350bf07 in __walk (ys=0x55cd675782b0, is_resume=false) at lib/northbound_oper.c:1264 > FRRouting#10 0x00007f9f0350deaa in nb_op_walk_start (ys=0x55cd675782b0) at lib/northbound_oper.c:1741 > FRRouting#11 0x00007f9f0350e079 in nb_oper_iterate_legacy (xpath=0x55cd67595c60 "/frr-interface:lib", translator=0x0, flags=0, cb=0x0, cb_arg=0x0, tree=0x7ffe952621b0) at lib/northbound_oper.c:1803 > FRRouting#12 0x00007f9f03507661 in show_yang_operational_data_magic (self=0x7f9f03634a80 <show_yang_operational_data_cmd>, vty=0x55cd675a61f0, argc=4, argv=0x55cd6758eab0, > xpath=0x55cd67595c60 "/frr-interface:lib", json=0x0, xml=0x0, translator_family=0x0, with_config=0x0) at lib/northbound_cli.c:1576 > FRRouting#13 0x00007f9f035037f0 in show_yang_operational_data (self=0x7f9f03634a80 <show_yang_operational_data_cmd>, vty=0x55cd675a61f0, argc=4, argv=0x55cd6758eab0) > at ./lib/northbound_cli_clippy.c:906 > FRRouting#14 0x00007f9f0349435d in cmd_execute_command_real (vline=0x55cd6758e490, vty=0x55cd675a61f0, cmd=0x0, up_level=0) at lib/command.c:1003 > FRRouting#15 0x00007f9f03494477 in cmd_execute_command (vline=0x55cd67585340, vty=0x55cd675a61f0, cmd=0x0, vtysh=0) at lib/command.c:1053 > FRRouting#16 0x00007f9f03494a0c in cmd_execute (vty=0x55cd675a61f0, cmd=0x55cd67579040 "do show yang operational-data /frr-interface:lib", matched=0x0, vtysh=0) at lib/command.c:1228 > FRRouting#17 0x00007f9f0355239d in vty_command (vty=0x55cd675a61f0, buf=0x55cd67579040 "do show yang operational-data /frr-interface:lib") at lib/vty.c:625 > FRRouting#18 0x00007f9f03554136 in vty_execute (vty=0x55cd675a61f0) at lib/vty.c:1388 > FRRouting#19 0x00007f9f0355634c in vtysh_read (thread=0x7ffe952647a0) at lib/vty.c:2400 > FRRouting#20 0x00007f9f0354b6f6 in event_call (thread=0x7ffe952647a0) at lib/event.c:1996 > FRRouting#21 0x00007f9f034d1365 in frr_run (master=0x55cd67204da0) at lib/libfrr.c:1231 > FRRouting#22 0x000055cd65a3236e in main (argc=7, argv=0x7ffe952649c8, envp=0x7ffe95264a08) at isisd/isis_main.c:354 Fixes: 2a1c520 ("isisd: split northbound callbacks into multiple files") Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com>

Fix a crash when modifying a route-map with set as-path exclude without as-path-access-list: > router(config)# route-map routemaptest deny 1 > router(config-route-map)# set as-path exclude 33 34 35 > router(config-route-map)# set as-path exclude as-path-access-list test > #0 raise (sig=<optimized out>) at ../sysdeps/unix/sysv/linux/raise.c:50 > #1 0x00007fb3959327de in core_handler (signo=11, siginfo=0x7ffd122da530, context=0x7ffd122da400) at lib/sigevent.c:258 > #2 <signal handler called> > FRRouting#3 0x000055ab2762a1bd in as_list_list_del (h=0x55ab27897680 <as_exclude_list_orphan>, item=0x55ab28204e20) at ./bgpd/bgp_aspath.h:77 > FRRouting#4 0x000055ab2762d1a8 in as_exclude_remove_orphan (ase=0x55ab28204e20) at bgpd/bgp_aspath.c:1574 > FRRouting#5 0x000055ab27550538 in route_aspath_exclude_free (rule=0x55ab28204e20) at bgpd/bgp_routemap.c:2366 > FRRouting#6 0x00007fb39591f00c in route_map_rule_delete (list=0x55ab28203498, rule=0x55ab28204170) at lib/routemap.c:1357 > FRRouting#7 0x00007fb39591f87c in route_map_add_set (index=0x55ab28203460, set_name=0x55ab276ad2aa "as-path exclude", set_arg=0x55ab281e4f70 "as-path-access-list test") at lib/routemap.c:1674 > FRRouting#8 0x00007fb39591d3f3 in generic_set_add (index=0x55ab28203460, command=0x55ab276ad2aa "as-path exclude", arg=0x55ab281e4f70 "as-path-access-list test", errmsg=0x7ffd122db870 "", > errmsg_len=8192) at lib/routemap.c:533 > FRRouting#9 0x000055ab2755e78e in lib_route_map_entry_set_action_rmap_set_action_exclude_as_path_modify (args=0x7ffd122db290) at bgpd/bgp_routemap_nb_config.c:2427 > FRRouting#10 0x00007fb3958fe417 in nb_callback_modify (context=0x55ab28205aa0, nb_node=0x55ab27cb31e0, event=NB_EV_APPLY, dnode=0x55ab28202690, resource=0x55ab27c32148, errmsg=0x7ffd122db870 "", > errmsg_len=8192) at lib/northbound.c:1538 > FRRouting#11 0x00007fb3958ff0ab in nb_callback_configuration (context=0x55ab28205aa0, event=NB_EV_APPLY, change=0x55ab27c32110, errmsg=0x7ffd122db870 "", errmsg_len=8192) at lib/northbound.c:1888 > FRRouting#12 0x00007fb3958ff5e4 in nb_transaction_process (event=NB_EV_APPLY, transaction=0x55ab28205aa0, errmsg=0x7ffd122db870 "", errmsg_len=8192) at lib/northbound.c:2016 > FRRouting#13 0x00007fb3958fddba in nb_candidate_commit_apply (transaction=0x55ab28205aa0, save_transaction=true, transaction_id=0x0, errmsg=0x7ffd122db870 "", errmsg_len=8192) > at lib/northbound.c:1356 > FRRouting#14 0x00007fb3958fdef0 in nb_candidate_commit (context=..., candidate=0x55ab27c2c9a0, save_transaction=true, comment=0x0, transaction_id=0x0, errmsg=0x7ffd122db870 "", errmsg_len=8192) > at lib/northbound.c:1389 > FRRouting#15 0x00007fb3959045ba in nb_cli_classic_commit (vty=0x55ab281f6680) at lib/northbound_cli.c:57 > FRRouting#16 0x00007fb395904b5a in nb_cli_apply_changes_internal (vty=0x55ab281f6680, xpath_base=0x7ffd122dfd10 "/frr-route-map:lib/route-map[name='routemaptest']/entry[sequence='1']", > clear_pending=false) at lib/northbound_cli.c:184 > FRRouting#17 0x00007fb395904ebf in nb_cli_apply_changes (vty=0x55ab281f6680, xpath_base_fmt=0x0) at lib/northbound_cli.c:240 > --Type <RET> for more, q to quit, c to continue without paging-- > FRRouting#18 0x000055ab27557d2e in set_aspath_exclude_access_list_magic (self=0x55ab2775c300 <set_aspath_exclude_access_list_cmd>, vty=0x55ab281f6680, argc=5, argv=0x55ab28204c80, > as_path_filter_name=0x55ab28202040 "test") at bgpd/bgp_routemap.c:6397 > FRRouting#19 0x000055ab2754bdea in set_aspath_exclude_access_list (self=0x55ab2775c300 <set_aspath_exclude_access_list_cmd>, vty=0x55ab281f6680, argc=5, argv=0x55ab28204c80) > at ./bgpd/bgp_routemap_clippy.c:856 > FRRouting#20 0x00007fb39589435d in cmd_execute_command_real (vline=0x55ab281e61f0, vty=0x55ab281f6680, cmd=0x0, up_level=0) at lib/command.c:1003 > FRRouting#21 0x00007fb3958944be in cmd_execute_command (vline=0x55ab281e61f0, vty=0x55ab281f6680, cmd=0x0, vtysh=0) at lib/command.c:1062 > FRRouting#22 0x00007fb395894a0c in cmd_execute (vty=0x55ab281f6680, cmd=0x55ab28200f20 "set as-path exclude as-path-access-list test", matched=0x0, vtysh=0) at lib/command.c:1228 > FRRouting#23 0x00007fb39595242c in vty_command (vty=0x55ab281f6680, buf=0x55ab28200f20 "set as-path exclude as-path-access-list test") at lib/vty.c:625 > FRRouting#24 0x00007fb3959541c5 in vty_execute (vty=0x55ab281f6680) at lib/vty.c:1388 > FRRouting#25 0x00007fb3959563db in vtysh_read (thread=0x7ffd122e2bb0) at lib/vty.c:2400 > FRRouting#26 0x00007fb39594b785 in event_call (thread=0x7ffd122e2bb0) at lib/event.c:1996 > FRRouting#27 0x00007fb3958d1365 in frr_run (master=0x55ab27b56d70) at lib/libfrr.c:1231 > FRRouting#28 0x000055ab2747f1cc in main (argc=3, argv=0x7ffd122e2e08) at bgpd/bgp_main.c:555 Fixes: 094dcc3 ("bgpd: fix "bgp as-pah access-list" with "set aspath exclude" set/unset issues") Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com>

The following causes a isisd crash. > # cat config > affinity-map green bit-position 0 > router isis 1 > flex-algo 129 > affinity exclude-any green > # vtysh -f config > #0 raise (sig=<optimized out>) at ../sysdeps/unix/sysv/linux/raise.c:50 > FRRouting#1 0x00007f650cd32756 in core_handler (signo=6, siginfo=0x7ffc56f93070, context=0x7ffc56f92f40) at lib/sigevent.c:258 > FRRouting#2 <signal handler called> > FRRouting#3 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 > FRRouting#4 0x00007f650c91c537 in __GI_abort () at abort.c:79 > FRRouting#5 0x00007f650cd007c9 in nb_running_get_entry_worker (dnode=0x0, xpath=0x0, abort_if_not_found=true, rec_search=true) at lib/northbound.c:2531 > FRRouting#6 0x00007f650cd007f9 in nb_running_get_entry (dnode=0x55d9ad406e00, xpath=0x0, abort_if_not_found=true) at lib/northbound.c:2537 > FRRouting#7 0x000055d9ab302248 in isis_instance_flex_algo_affinity_set (args=0x7ffc56f947a0, type=2) at isisd/isis_nb_config.c:2998 > FRRouting#8 0x000055d9ab3027c0 in isis_instance_flex_algo_affinity_exclude_any_create (args=0x7ffc56f947a0) at isisd/isis_nb_config.c:3155 > FRRouting#9 0x00007f650ccfe284 in nb_callback_create (context=0x7ffc56f94d20, nb_node=0x55d9ad28b540, event=NB_EV_VALIDATE, dnode=0x55d9ad406e00, resource=0x0, errmsg=0x7ffc56f94de0 "", > errmsg_len=8192) at lib/northbound.c:1487 > FRRouting#10 0x00007f650ccff067 in nb_callback_configuration (context=0x7ffc56f94d20, event=NB_EV_VALIDATE, change=0x55d9ad406d40, errmsg=0x7ffc56f94de0 "", errmsg_len=8192) at lib/northbound.c:1884 > FRRouting#11 0x00007f650ccfda31 in nb_candidate_validate_code (context=0x7ffc56f94d20, candidate=0x55d9ad20d710, changes=0x7ffc56f94d38, errmsg=0x7ffc56f94de0 "", errmsg_len=8192) > at lib/northbound.c:1246 > FRRouting#12 0x00007f650ccfdc67 in nb_candidate_commit_prepare (context=..., candidate=0x55d9ad20d710, comment=0x0, transaction=0x7ffc56f94da0, skip_validate=false, ignore_zero_change=false, > errmsg=0x7ffc56f94de0 "", errmsg_len=8192) at lib/northbound.c:1317 > FRRouting#13 0x00007f650ccfdec4 in nb_candidate_commit (context=..., candidate=0x55d9ad20d710, save_transaction=true, comment=0x0, transaction_id=0x0, errmsg=0x7ffc56f94de0 "", errmsg_len=8192) > at lib/northbound.c:1381 > FRRouting#14 0x00007f650cd045ba in nb_cli_classic_commit (vty=0x55d9ad3f7490) at lib/northbound_cli.c:57 > FRRouting#15 0x00007f650cd04749 in nb_cli_pending_commit_check (vty=0x55d9ad3f7490) at lib/northbound_cli.c:96 > FRRouting#16 0x00007f650cc94340 in cmd_execute_command_real (vline=0x55d9ad3eea10, vty=0x55d9ad3f7490, cmd=0x0, up_level=0) at lib/command.c:1000 > FRRouting#17 0x00007f650cc94599 in cmd_execute_command (vline=0x55d9ad3eea10, vty=0x55d9ad3f7490, cmd=0x0, vtysh=0) at lib/command.c:1080 > FRRouting#18 0x00007f650cc94a0c in cmd_execute (vty=0x55d9ad3f7490, cmd=0x55d9ad401d30 "XFRR_end_configuration", matched=0x0, vtysh=0) at lib/command.c:1228 > FRRouting#19 0x00007f650cd523a4 in vty_command (vty=0x55d9ad3f7490, buf=0x55d9ad401d30 "XFRR_end_configuration") at lib/vty.c:625 > FRRouting#20 0x00007f650cd5413d in vty_execute (vty=0x55d9ad3f7490) at lib/vty.c:1388 > FRRouting#21 0x00007f650cd56353 in vtysh_read (thread=0x7ffc56f99370) at lib/vty.c:2400 > FRRouting#22 0x00007f650cd4b6fd in event_call (thread=0x7ffc56f99370) at lib/event.c:1996 > FRRouting#23 0x00007f650ccd1365 in frr_run (master=0x55d9ad103cf0) at lib/libfrr.c:1231 > FRRouting#24 0x000055d9ab29036e in main (argc=2, argv=0x7ffc56f99598, envp=0x7ffc56f995b0) at isisd/isis_main.c:354 Configuring the same in vtysh configure interactive mode works properly. When using "vtysh -f", the northbound compatible configuration is committed together whereas, in interactive mode, it committed line by line. In the first situation, in validation state nb_running_get_entry() fails because the area not yet in running. Do not use nb_running_get_entry() northbound validation state. Fixes: 893882e ("isisd: add isis flex-algo configuration backend") Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com>

Level 2 adjacency list is not supposed to be always set. > #0 raise (sig=<optimized out>) at ../sysdeps/unix/sysv/linux/raise.c:50 > FRRouting#1 0x00007f9f0353274f in core_handler (signo=6, siginfo=0x7ffe95260770, context=0x7ffe95260640) at lib/sigevent.c:258 > FRRouting#2 <signal handler called> > FRRouting#3 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 > FRRouting#4 0x00007f9f0324e537 in __GI_abort () at abort.c:79 > FRRouting#5 0x00007f9f035744ea in _zlog_assert_failed (xref=0x7f9f0362c6c0 <_xref.15>, extra=0x0) at lib/zlog.c:789 > FRRouting#6 0x00007f9f034d25ee in listnode_head (list=0x0) at lib/linklist.c:316 > FRRouting#7 0x000055cd65aaa481 in lib_interface_state_isis_adjacencies_adjacency_get_next (args=0x7ffe95261730) at isisd/isis_nb_state.c:101 > FRRouting#8 0x00007f9f034feadd in nb_callback_get_next (nb_node=0x55cd673c0190, parent_list_entry=0x55cd67570d30, list_entry=0x55cd6758f8a0) at lib/northbound.c:1748 > FRRouting#9 0x00007f9f0350bf07 in __walk (ys=0x55cd675782b0, is_resume=false) at lib/northbound_oper.c:1264 > FRRouting#10 0x00007f9f0350deaa in nb_op_walk_start (ys=0x55cd675782b0) at lib/northbound_oper.c:1741 > FRRouting#11 0x00007f9f0350e079 in nb_oper_iterate_legacy (xpath=0x55cd67595c60 "/frr-interface:lib", translator=0x0, flags=0, cb=0x0, cb_arg=0x0, tree=0x7ffe952621b0) at lib/northbound_oper.c:1803 > FRRouting#12 0x00007f9f03507661 in show_yang_operational_data_magic (self=0x7f9f03634a80 <show_yang_operational_data_cmd>, vty=0x55cd675a61f0, argc=4, argv=0x55cd6758eab0, > xpath=0x55cd67595c60 "/frr-interface:lib", json=0x0, xml=0x0, translator_family=0x0, with_config=0x0) at lib/northbound_cli.c:1576 > FRRouting#13 0x00007f9f035037f0 in show_yang_operational_data (self=0x7f9f03634a80 <show_yang_operational_data_cmd>, vty=0x55cd675a61f0, argc=4, argv=0x55cd6758eab0) > at ./lib/northbound_cli_clippy.c:906 > FRRouting#14 0x00007f9f0349435d in cmd_execute_command_real (vline=0x55cd6758e490, vty=0x55cd675a61f0, cmd=0x0, up_level=0) at lib/command.c:1003 > FRRouting#15 0x00007f9f03494477 in cmd_execute_command (vline=0x55cd67585340, vty=0x55cd675a61f0, cmd=0x0, vtysh=0) at lib/command.c:1053 > FRRouting#16 0x00007f9f03494a0c in cmd_execute (vty=0x55cd675a61f0, cmd=0x55cd67579040 "do show yang operational-data /frr-interface:lib", matched=0x0, vtysh=0) at lib/command.c:1228 > FRRouting#17 0x00007f9f0355239d in vty_command (vty=0x55cd675a61f0, buf=0x55cd67579040 "do show yang operational-data /frr-interface:lib") at lib/vty.c:625 > FRRouting#18 0x00007f9f03554136 in vty_execute (vty=0x55cd675a61f0) at lib/vty.c:1388 > FRRouting#19 0x00007f9f0355634c in vtysh_read (thread=0x7ffe952647a0) at lib/vty.c:2400 > FRRouting#20 0x00007f9f0354b6f6 in event_call (thread=0x7ffe952647a0) at lib/event.c:1996 > FRRouting#21 0x00007f9f034d1365 in frr_run (master=0x55cd67204da0) at lib/libfrr.c:1231 > FRRouting#22 0x000055cd65a3236e in main (argc=7, argv=0x7ffe952649c8, envp=0x7ffe95264a08) at isisd/isis_main.c:354 Fixes: 2a1c520 ("isisd: split northbound callbacks into multiple files") Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com>

Fix heap-after-free seen with bgp_vrf_dynamic_route_leak / test_bgp_vrf_dynamic_route_leak_topo1 topotest. > ================================================================= > ==1899==ERROR: AddressSanitizer: heap-use-after-free on address 0x6160000acba4 at pc 0x559fe9aee213 bp 0x7fffef3d3ef0 sp 0x7fffef3d3ee8 > READ of size 4 at 0x6160000acba4 thread T0 > #0 0x559fe9aee212 in ctx_info_from_zns zebra/zebra_dplane.c:3331 > #1 0x559fe9aee212 in dplane_ctx_ns_init zebra/zebra_dplane.c:3347 > #2 0x559fe9af50a2 in dplane_ctx_nexthop_init zebra/zebra_dplane.c:3696 > #3 0x559fe9afadd1 in dplane_nexthop_update_internal zebra/zebra_dplane.c:4503 > FRRouting#4 0x559fe9afb0ff in dplane_nexthop_delete zebra/zebra_dplane.c:4730 > FRRouting#5 0x559fe9b6fddf in zebra_nhg_uninstall_kernel zebra/zebra_nhg.c:3278 > FRRouting#6 0x559fe9b700bf in zebra_nhg_decrement_ref zebra/zebra_nhg.c:1768 > FRRouting#7 0x559fe9b8a5d3 in route_entry_update_nhe zebra/zebra_rib.c:457 > FRRouting#8 0x559fe9b932f7 in rib_re_nhg_free zebra/zebra_rib.c:2691 > FRRouting#9 0x559fe9b932f7 in rib_unlink zebra/zebra_rib.c:4088 > FRRouting#10 0x559fe9b93485 in zebra_rtable_node_cleanup zebra/zebra_rib.c:958 > FRRouting#11 0x7fd4040c6672 in route_node_free lib/table.c:75 > FRRouting#12 0x7fd4040c7378 in route_table_free lib/table.c:111 > FRRouting#13 0x7fd4040c7378 in route_table_finish lib/table.c:46 > FRRouting#14 0x559fe9b9cd50 in zebra_router_free_table zebra/zebra_router.c:191 > FRRouting#15 0x559fe9b9e3fe in zebra_router_terminate zebra/zebra_router.c:244 > FRRouting#16 0x559fe9aa3c40 in zebra_finalize zebra/main.c:244 > FRRouting#17 0x7fd4040da2c1 in event_call lib/event.c:1996 > FRRouting#18 0x7fd40400dcc6 in frr_run lib/libfrr.c:1237 > FRRouting#19 0x559fe9aa435e in main zebra/main.c:526 > FRRouting#20 0x7fd403b0c249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 > FRRouting#21 0x7fd403b0c304 in __libc_start_main_impl ../csu/libc-start.c:360 > FRRouting#22 0x559fe9a777a0 in _start (/usr/lib/frr/zebra+0x1a47a0) > > 0x6160000acba4 is located 36 bytes inside of 584-byte region [0x6160000acb80,0x6160000acdc8) > freed by thread T0 here: > #0 0x7fd4044b76a8 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52 > #1 0x7fd40402d060 in qfree lib/memory.c:131 > #2 0x559fe9b73aaa in zebra_ns_delete zebra/zebra_ns.c:74 > #3 0x559fe9b7415a in zebra_ns_final_shutdown zebra/zebra_ns.c:192 > FRRouting#4 0x7fd40404d45e in ns_walk_func lib/netns_linux.c:372 > FRRouting#5 0x559fe9aa3c36 in zebra_finalize zebra/main.c:241 > FRRouting#6 0x7fd4040da2c1 in event_call lib/event.c:1996 > FRRouting#7 0x7fd40400dcc6 in frr_run lib/libfrr.c:1237 > FRRouting#8 0x559fe9aa435e in main zebra/main.c:526 > FRRouting#9 0x7fd403b0c249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 > > previously allocated by thread T0 here: > #0 0x7fd4044b83b7 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:77 > #1 0x7fd40402c76d in qcalloc lib/memory.c:106 > #2 0x559fe9b73b9b in zebra_ns_new zebra/zebra_ns.c:55 > #3 0x559fe9b74283 in zebra_ns_init zebra/zebra_ns.c:221 > FRRouting#4 0x559fe9aa4159 in main zebra/main.c:440 > FRRouting#5 0x7fd403b0c249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com>

``` ERROR: AddressSanitizer: heap-use-after-free on address 0x6160000aecf0 at pc 0x5555557ecdb9 bp 0x7fffffffe350 sp 0x7fffffffe340 READ of size 4 at 0x6160000aecf0 thread T0 #0 0x5555557ecdb8 in igmp_source_delete pimd/pim_igmpv3.c:340 FRRouting#1 0x5555557ed475 in igmp_source_delete_expired pimd/pim_igmpv3.c:405 FRRouting#2 0x5555557de574 in igmp_group_timer pimd/pim_igmp.c:1346 FRRouting#3 0x7ffff7275421 in event_call lib/event.c:1996 FRRouting#4 0x7ffff7140797 in frr_run lib/libfrr.c:1237 FRRouting#5 0x5555557f5840 in main pimd/pim_main.c:166 FRRouting#6 0x7ffff6a54082 in __libc_start_main ../csu/libc-start.c:308 FRRouting#7 0x555555686eed in _start (/usr/lib/frr/pimd+0x132eed) 0x6160000aecf0 is located 112 bytes inside of 600-byte region [0x6160000aec80,0x6160000aeed8) freed by thread T0 here: #0 0x7ffff767b40f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122 FRRouting#1 0x7ffff716ed34 in qfree lib/memory.c:131 FRRouting#2 0x5555557169ae in pim_channel_oil_free pimd/pim_oil.c:84 FRRouting#3 0x555555717981 in pim_channel_oil_del pimd/pim_oil.c:199 FRRouting#4 0x55555573c42c in tib_sg_gm_prune pimd/pim_tib.c:196 FRRouting#5 0x5555557d6d04 in igmp_source_forward_stop pimd/pim_igmp.c:229 FRRouting#6 0x5555557d5855 in igmp_anysource_forward_stop pimd/pim_igmp.c:61 FRRouting#7 0x5555557de539 in igmp_group_timer pimd/pim_igmp.c:1344 FRRouting#8 0x7ffff7275421 in event_call lib/event.c:1996 FRRouting#9 0x7ffff7140797 in frr_run lib/libfrr.c:1237 FRRouting#10 0x5555557f5840 in main pimd/pim_main.c:166 FRRouting#11 0x7ffff6a54082 in __libc_start_main ../csu/libc-start.c:308 previously allocated by thread T0 here: #0 0x7ffff767ba06 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:153 FRRouting#1 0x7ffff716ebe1 in qcalloc lib/memory.c:106 FRRouting#2 0x555555716eb7 in pim_channel_oil_add pimd/pim_oil.c:133 FRRouting#3 0x55555573b2b9 in tib_sg_oil_setup pimd/pim_tib.c:30 FRRouting#4 0x55555573bdd3 in tib_sg_gm_join pimd/pim_tib.c:119 FRRouting#5 0x5555557d6788 in igmp_source_forward_start pimd/pim_igmp.c:193 FRRouting#6 0x5555557d5771 in igmp_anysource_forward_start pimd/pim_igmp.c:51 FRRouting#7 0x5555557ecaa0 in group_exclude_fwd_anysrc_ifempty pimd/pim_igmpv3.c:310 FRRouting#8 0x5555557ef937 in toex_incl pimd/pim_igmpv3.c:839 FRRouting#9 0x5555557f00a2 in igmpv3_report_toex pimd/pim_igmpv3.c:938 FRRouting#10 0x5555557f543d in igmp_v3_recv_report pimd/pim_igmpv3.c:2000 FRRouting#11 0x5555557da2b4 in pim_igmp_packet pimd/pim_igmp.c:787 FRRouting#12 0x5555556ee46a in process_igmp_packet pimd/pim_mroute.c:763 FRRouting#13 0x5555556ee5f3 in pim_mroute_msg pimd/pim_mroute.c:787 FRRouting#14 0x5555556eef58 in mroute_read pimd/pim_mroute.c:877 FRRouting#15 0x7ffff7275421 in event_call lib/event.c:1996 FRRouting#16 0x7ffff7140797 in frr_run lib/libfrr.c:1237 FRRouting#17 0x5555557f5840 in main pimd/pim_main.c:166 FRRouting#18 0x7ffff6a54082 in __libc_start_main ../csu/libc-start.c:308 SUMMARY: AddressSanitizer: heap-use-after-free pimd/pim_igmpv3.c:340 in igmp_source_delete Shadow bytes around the buggy address: 0x0c2c8000dd40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2c8000dd50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2c8000dd60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2c8000dd70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2c8000dd80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c2c8000dd90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd 0x0c2c8000dda0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2c8000ddb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2c8000ddc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2c8000ddd0: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa 0x0c2c8000dde0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ``` Signed-off-by: Jafar Al-Gharaibeh <jafar@atcorp.com>

NetDEF-CI added this to the 2.0-rc1 milestone Dec 19, 2016

NetDEF-CI added the bug label Dec 19, 2016

mwinter-osr assigned rwestphal Dec 19, 2016

donaldsharp closed this as completed Jan 7, 2017

louberger mentioned this issue May 15, 2018

Bgpd crash on shutdown when have VRFs and leaked routes #2184

Closed

mdash-vmware mentioned this issue Oct 8, 2018

BGPd crashed on 2 routers while running Topotest "test_bgp_l3vpn_to_bgp_vrf.py" #3144

Closed

karamalla0406 mentioned this issue Nov 14, 2018

BGP daemon crash a L2VNI in unconfigured #3333

Closed

cfra referenced this issue in opensourcerouting/frr Nov 29, 2018

Merge pull request #18 from opensourcerouting/ARM-fixes

691e76b

Fixes to run topotest on ARM7 testbeds (and more reliable on other systems)

louberger mentioned this issue May 1, 2019

Zebra diet #4236

Merged

Spantik mentioned this issue Feb 21, 2020

Zebra: Zebra gr dynamic client handling #5850

Merged

donaldsharp mentioned this issue Jul 1, 2020

description line in route-maps leaks memory #6659

Closed

This was referenced Oct 16, 2020

zebra: Fix use after free in debug path #7330

Merged

[7.5]zebra: Fix use after free in debug path #7331

Merged

gpnaveen mentioned this issue Jan 21, 2021

[FRR OSPFv2] OSPFd Coredump seen at ospf_ls_upd_send in ASBR summarisation topotest is executed (Pull Req : 7096) #7895

Closed

rgirada mentioned this issue Jul 20, 2021

ospfd: ospfd crash while giving 'clear ip ospf neighbor' #9093

Merged

ranjanyash54 pushed a commit to ranjanyash54/frr that referenced this issue Aug 22, 2021

Merge pull request FRRouting#18 from ranjanyash54/delete_config

5e8e865

cmgd: delete-config command

wangshengjun mentioned this issue Nov 12, 2021

zebra: add the parameter check to avoid zebra crash issue which cause… #10041

Closed

qing8717 mentioned this issue Mar 18, 2023

yang: In some special configure，the command [show yang operational-data /frr-vrf:lib zebra] leads to segmentfault error #13029

Closed

donaldsharp mentioned this issue May 2, 2023

new rip bfd code crashes rip every time #13415

Closed

mergify bot mentioned this issue Aug 21, 2024

bgpd: fix crash at no rpki (backport #16608) #16618

Merged

mergify bot mentioned this issue Aug 22, 2024

bgpd: fix crash at no rpki (backport 9.1 and lower) (backport #16612) #16626

Merged

mergify bot mentioned this issue Aug 22, 2024

bgpd: fix crash at no rpki (backport 9.1 and lower) (backport #16612) #16627

Merged

louis-6wind mentioned this issue Aug 27, 2024

isisd: fix crash at flex-algo without mpls-te #16665

Merged

This was referenced Aug 27, 2024

isisd: fix crash at flex-algo without mpls-te (backport #16665) #16668

Merged

isisd: fix crash at flex-algo without mpls-te (backport #16665) #16669

Merged

louis-6wind mentioned this issue Sep 9, 2024

isisd: fix crash at flex-algo affinity setting #16772

Merged

louis-6wind mentioned this issue Sep 10, 2024

bgpd: fix as-path exclude modify crash #16779

Merged

This was referenced Sep 11, 2024

bgpd: fix as-path exclude modify crash #16794

Merged

bgpd: fix as-path exclude modify crash #16795

Merged

louis-6wind mentioned this issue Sep 12, 2024

tests: fix isis_lsp_bits_topo1 race condition #16807

Merged

This was referenced Sep 13, 2024

bgpd: fix as-path exclude modify crash (backport #16779) #16813

Closed

bgpd: fix as-path exclude modify crash (backport #16779) #16814

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ldpd should display interfaces in order consistent with the rest of the routing protocols #18

ldpd should display interfaces in order consistent with the rest of the routing protocols #18

NetDEF-CI commented Dec 19, 2016

rwestphal commented Dec 21, 2016

donaldsharp commented Jan 7, 2017

ldpd should display interfaces in order consistent with the rest of the routing protocols #18

ldpd should display interfaces in order consistent with the rest of the routing protocols #18

Comments

NetDEF-CI commented Dec 19, 2016

rwestphal commented Dec 21, 2016

donaldsharp commented Jan 7, 2017