pimd: Fix possible double free of upstream

Fix possible double free of upstream and in
addition add some debug code to help find
where the problem is coming from.

Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>

diff --git a/pimd/pim_ifchannel.c b/pimd/pim_ifchannel.c
index a811742e3e9b651d0550880bba373ce66d3ec613..c2d27f1ec860fb718068794b20e9bece49c5db96 100644 (file)
--- a/pimd/pim_ifchannel.c
+++ b/pimd/pim_ifchannel.c
@@ -127,7 +127,7 @@ void pim_ifchannel_delete(struct pim_ifchannel *ch)
     pim_upstream_update_join_desired(ch->upstream);
   }
 
-  pim_upstream_del(ch->upstream);
+  pim_upstream_del(ch->upstream, __PRETTY_FUNCTION__);
   ch->upstream = NULL;
 
   THREAD_OFF(ch->t_ifjoin_expiry_timer);
@@ -365,7 +365,7 @@ pim_ifchannel_add(struct interface *ifp,
   pim_ifp = ifp->info;
   zassert(pim_ifp);
 
-  up = pim_upstream_add(sg, NULL, flags);
+  up = pim_upstream_add(sg, NULL, flags, __PRETTY_FUNCTION__);
   if (!up) {
     zlog_err("%s: could not attach upstream (S,G)=%s on interface %s",
             __PRETTY_FUNCTION__,

diff --git a/pimd/pim_mroute.c b/pimd/pim_mroute.c
index 5f8d180742e4a08812257ddf27675d84b23748a4..7935f7290ec5a332f6d837dbe586ef974f91e691 100644 (file)
--- a/pimd/pim_mroute.c
+++ b/pimd/pim_mroute.c
@@ -136,7 +136,7 @@ pim_mroute_msg_nocache (int fd, struct interface *ifp, const struct igmpmsg *msg
     return 0;
   }
 
-  up = pim_upstream_add (&sg, ifp, PIM_UPSTREAM_FLAG_MASK_FHR);
+  up = pim_upstream_add (&sg, ifp, PIM_UPSTREAM_FLAG_MASK_FHR, __PRETTY_FUNCTION__);
   if (!up) {
     if (PIM_DEBUG_MROUTE) {
       zlog_debug("%s: Failure to add upstream information for %s",
@@ -371,7 +371,7 @@ pim_mroute_msg_wrvifwhole (int fd, struct interface *ifp, const char *buf)
     pim_mroute_add (oil);
   if (pim_if_connected_to_source (ifp, sg.src))
     {
-      up = pim_upstream_add (&sg, ifp, PIM_UPSTREAM_FLAG_MASK_FHR);
+      up = pim_upstream_add (&sg, ifp, PIM_UPSTREAM_FLAG_MASK_FHR, __PRETTY_FUNCTION__);
       if (!up)
        {
          if (PIM_DEBUG_MROUTE)

diff --git a/pimd/pim_register.c b/pimd/pim_register.c
index 62973bc9c1b593c2de6650b9304defa17c1b43ca..c941388dc45a9ce5a4d6b81eea4d15352e7e8f1b 100644 (file)
--- a/pimd/pim_register.c
+++ b/pimd/pim_register.c
@@ -333,7 +333,9 @@ pim_register_recv (struct interface *ifp,
      */
     if (!upstream)
       {
-       upstream = pim_upstream_add (&sg, ifp, PIM_UPSTREAM_FLAG_MASK_SRC_STREAM);
+       upstream = pim_upstream_add (&sg, ifp,
+                                    PIM_UPSTREAM_FLAG_MASK_SRC_STREAM,
+                                    __PRETTY_FUNCTION__);
         if (!upstream)
           {
             zlog_warn ("Failure to create upstream state");

diff --git a/pimd/pim_upstream.c b/pimd/pim_upstream.c
index b103a4fc66213f15f948c78245acc915cf97f7e7..ee26683547fb4c2799af194d56aff6ffd86c3169 100644 (file)
--- a/pimd/pim_upstream.c
+++ b/pimd/pim_upstream.c
@@ -156,8 +156,19 @@ static void upstream_channel_oil_detach(struct pim_upstream *up)
   }
 }
 
-void pim_upstream_delete(struct pim_upstream *up)
+void
+pim_upstream_del(struct pim_upstream *up, const char *name)
 {
+  if (PIM_DEBUG_PIM_TRACE)
+    {
+      zlog_debug ("%s: Delete (%s) ref count: %d",
+                 name, pim_str_sg_dump (&up->sg), up->ref_count);
+    }
+  --up->ref_count;
+
+  if (up->ref_count >= 1)
+    return;
+
   if (PIM_DEBUG_PIM_TRACE)
     zlog_debug ("%s: %s is being deleted",
                __PRETTY_FUNCTION__,
@@ -548,29 +559,27 @@ struct pim_upstream *pim_upstream_find(struct prefix_sg *sg)
 
 struct pim_upstream *pim_upstream_add(struct prefix_sg *sg,
                                      struct interface *incoming,
-                                     int flags)
+                                     int flags, const char *name)
 {
   struct pim_upstream *up = NULL;
-
+  int found = 0;
   up = pim_upstream_find(sg);
   if (up) {
     ++up->ref_count;
     up->flags |= flags;
+    found = 1;
   }
   else {
     up = pim_upstream_new(sg, incoming, flags);
   }
 
-  return up;
-}
-
-void pim_upstream_del(struct pim_upstream *up)
-{
-  --up->ref_count;
+  if (PIM_DEBUG_TRACE)
+    zlog_debug("%s(%s): (%s), found: %d: ref_count: %d",
+              __PRETTY_FUNCTION__, name,
+              pim_str_sg_dump (&up->sg), found,
+              up->ref_count);
 
-  if (up->ref_count < 1) {
-    pim_upstream_delete(up);
-  }
+  return up;
 }
 
 static int
@@ -885,7 +894,10 @@ pim_upstream_keep_alive_timer (struct thread *t)
                           &up->sg, 0);
       PIM_UPSTREAM_FLAG_UNSET_SRC_STREAM (up->flags);
       if (PIM_UPSTREAM_FLAG_TEST_CREATED_BY_UPSTREAM(up->flags))
-       pim_upstream_del (up);
+       {
+         PIM_UPSTREAM_FLAG_UNSET_CREATED_BY_UPSTREAM(up->flags);
+         pim_upstream_del (up, __PRETTY_FUNCTION__);
+       }
     }
   else
     {

diff --git a/pimd/pim_upstream.h b/pimd/pim_upstream.h
index 70b5b01062ec3dbbbbcdbb1c8380b67c41a2f810..41fcd286798e53ee01afe79d9145cff9168d9687 100644 (file)
--- a/pimd/pim_upstream.h
+++ b/pimd/pim_upstream.h
@@ -116,11 +116,11 @@ struct list *pim_upstream_list;
 struct hash *pim_upstream_hash;
 
 void pim_upstream_free(struct pim_upstream *up);
-void pim_upstream_delete(struct pim_upstream *up);
 struct pim_upstream *pim_upstream_find (struct prefix_sg *sg);
 struct pim_upstream *pim_upstream_add (struct prefix_sg *sg,
-                                     struct interface *ifp, int);
-void pim_upstream_del(struct pim_upstream *up);
+                                      struct interface *ifp, int flags,
+                                      const char *name);
+void pim_upstream_del(struct pim_upstream *up, const char *name);
 
 int pim_upstream_evaluate_join_desired(struct pim_upstream *up);
 void pim_upstream_update_join_desired(struct pim_upstream *up);