Skip to content

Zebra crashes when fpm_read processes route with protocol RTPROT_KERNEL #13754

New issue
New issue
Closed
#13757
Closed
Zebra crashes when fpm_read processes route with protocol RTPROT_KERNEL#13754
#13757
Labels
triageNeeds further investigation
@dgsudharsan

Description

@dgsudharsan
dgsudharsan
opened on Jun 9, 2023

Describe the bug
FRR version is 8.5.1
When fpm_read processes a route with protocol RTPROT_KERNEL zebra crashes. This happens with the following backtrace

Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `/usr/lib/frr/zebra -A 127.0.0.1 -s 90000000 -M dplane_fpm_nl -M snmp --asic-off'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x0000555dd5ceae80 in dplane_intf_extra_list_pop (h=0x7fae1c007e68) at ../zebra/zebra_dplane.c:427
427 ../zebra/zebra_dplane.c: No such file or directory.
[Current thread is 1 (Thread 0x7fae2aa99700 (LWP 43))]
(gdb) bt
#0 0x0000555dd5ceae80 in dplane_intf_extra_list_pop (h=0x7fae1c007e68) at ../zebra/zebra_dplane.c:427
#1 dplane_ctx_free_internal (ctx=0x7fae1c0074b0) at ../zebra/zebra_dplane.c:724
#2 0x0000555dd5cebc99 in dplane_ctx_free (pctx=0x7fae2aa88c98) at ../zebra/zebra_dplane.c:869
#3 dplane_ctx_free (pctx=0x7fae2aa88c98, pctx@entry=0x7fae2aa78c28) at ../zebra/zebra_dplane.c:855
#4 dplane_ctx_fini (pctx=pctx@entry=0x7fae2aa88c98) at ../zebra/zebra_dplane.c:890
#5 0x00007fae31e93f29 in fpm_read (t=) at ../zebra/dplane_fpm_nl.c:605
#6 0x00007fae325191dd in thread_call (thread=thread@entry=0x7fae2aa98da0) at ../lib/thread.c:2006
#7 0x00007fae324c42b8 in fpt_run (arg=0x555dd74777c0) at ../lib/frr_pthread.c:309
#8 0x00007fae32405ea7 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0
#9 0x00007fae32325a2f in clone () from /lib/x86_64-linux-gnu/libc.so.6

(gdb) p ctx->u.rinfo.intf_extra_list
$7 = {dh = {hitem = {next = 0x0, prev = 0x0}, count = 0}}

The issue happens after the introduction of this commit ac96497

The issue happens when netlink_route_change_read_unicast_internal returns anything other than 1. (

frr/zebra/dplane_fpm_nl.c

Line 603 in 7a2b85a

if (netlink_route_change_read_unicast_internal(
)

The ctx object is allocated just above the function

frr/zebra/dplane_fpm_nl.c

Line 601 in 7a2b85a

ctx = dplane_ctx_alloc();

With the commit I pointed out the failure handling has dplane_ctx_fini(&ctx) which tries to access ditem->next as shown below.

frr/lib/typesafe.h

Line 411 in a19aa56

ditem->prev->next = ditem->next; \

  • Did you check if this is a duplicate issue?
  • Did you test it on the latest FRRouting/frr master branch?

To Reproduce

Expected behavior

Zebra shouldn't crash
Screenshots

Versions

  • OS Version:
    SONiC latest master
  • Kernel:
    Linux 5.10
  • FRR Version:
    8.5.1
    Additional context

Metadata

Metadata

Assignees

No one assigned

    Labels

    triageNeeds further investigation

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions