ospf6d: Prevent crash in adj_ok

The adj_ok thread event is being added but not killed
when the underlying interface is deleted.  I am seeing
this crash:

OSPF6: Received signal 11 at 1636142186 (si_addr 0x0, PC 0x561d7fc42285); aborting...
OSPF6: zlog_signal+0x18c                  7f227e93519a     7ffdae024590 /lib/libfrr.so.0 (mapped at 0x7f227e884000)
OSPF6: core_handler+0xe3                  7f227e97305e     7ffdae0246b0 /lib/libfrr.so.0 (mapped at 0x7f227e884000)
OSPF6: funlockfile+0x50                   7f227e863140     7ffdae024800 /lib/x86_64-linux-gnu/libpthread.so.0 (mapped at 0x7f227e84f000)
OSPF6:     ---- signal ----
OSPF6: need_adjacency+0x10                561d7fc42285     7ffdae024db0 /usr/lib/frr/ospf6d (mapped at 0x561d7fbc6000)
OSPF6: adj_ok+0x180                       561d7fc42f0b     7ffdae024dc0 /usr/lib/frr/ospf6d (mapped at 0x561d7fbc6000)
OSPF6: thread_call+0xc2                   7f227e989e32     7ffdae024e00 /lib/libfrr.so.0 (mapped at 0x7f227e884000)
OSPF6: frr_run+0x217                      7f227e92a7f3     7ffdae024ec0 /lib/libfrr.so.0 (mapped at 0x7f227e884000)
OSPF6: main+0xf3                          561d7fc0f573     7ffdae024fd0 /usr/lib/frr/ospf6d (mapped at 0x561d7fbc6000)
OSPF6: __libc_start_main+0xea             7f227e6b0d0a     7ffdae025010 /lib/x86_64-linux-gnu/libc.so.6 (mapped at 0x7f227e68a000)
OSPF6: _start+0x2a                        561d7fc0f06a     7ffdae0250e0 /usr/lib/frr/ospf6d (mapped at 0x561d7fbc6000)
OSPF6: in thread adj_ok scheduled from ospf6d/ospf6_interface.c:678 dr_election()

The crash is in the on->ospf6_if pointer is NULL.  The only way this could
happen from what I can tell is that the event is added to the system
and then we immediately delete the interface, removing the memory
but not freeing up the adj_ok thread event.

Signed-off-by: Donald Sharp <sharpd@nvidia.com>

diff --git a/ospf6d/ospf6_interface.c b/ospf6d/ospf6_interface.c
index 64992bbcee12f163411ef824b57a89c1c5c5c13b..4205be38ba62c9cb138a3e2c54fba7bc60e7a620 100644 (file)
--- a/ospf6d/ospf6_interface.c
+++ b/ospf6d/ospf6_interface.c
@@ -675,7 +675,8 @@ uint8_t dr_election(struct ospf6_interface *oi)
                        if (on->state < OSPF6_NEIGHBOR_TWOWAY)
                                continue;
                        /* Schedule AdjOK. */
-                       thread_add_event(master, adj_ok, on, 0, NULL);
+                       thread_add_event(master, adj_ok, on, 0,
+                                        &on->thread_adj_ok);
                }
        }
 

diff --git a/ospf6d/ospf6_neighbor.c b/ospf6d/ospf6_neighbor.c
index 1ff986d278132049f4e58e536091aaa36d025ece..3d0dde8c65a699c595b50b0e999c9cc933f58063 100644 (file)
--- a/ospf6d/ospf6_neighbor.c
+++ b/ospf6d/ospf6_neighbor.c
@@ -169,6 +169,8 @@ void ospf6_neighbor_delete(struct ospf6_neighbor *on)
        THREAD_OFF(on->thread_send_lsupdate);
        THREAD_OFF(on->thread_send_lsack);
        THREAD_OFF(on->thread_exchange_done);
+       THREAD_OFF(on->thread_adj_ok);
+
        THREAD_OFF(on->gr_helper_info.t_grace_timer);
 
        bfd_sess_free(&on->bfd_session);
@@ -605,6 +607,7 @@ int oneway_received(struct thread *thread)
        THREAD_OFF(on->thread_send_lsupdate);
        THREAD_OFF(on->thread_send_lsack);
        THREAD_OFF(on->thread_exchange_done);
+       THREAD_OFF(on->thread_adj_ok);
 
        return 0;
 }

diff --git a/ospf6d/ospf6_neighbor.h b/ospf6d/ospf6_neighbor.h
index 376d2fe4bc1400f5139363b3d70ee6adbaaa9571..de59a1ccf5778685ba69dae675c3a2d5eb30c9bd 100644 (file)
--- a/ospf6d/ospf6_neighbor.h
+++ b/ospf6d/ospf6_neighbor.h
@@ -137,6 +137,7 @@ struct ospf6_neighbor {
        struct thread *thread_send_lsupdate;
        struct thread *thread_send_lsack;
        struct thread *thread_exchange_done;
+       struct thread *thread_adj_ok;
 
        /* BFD information */
        struct bfd_session_params *bfd_session;