isis crash #4

donaldsharp · 2016-12-16T17:40:17Z

(gdb) bt
#0 0x00007f8a5c930067 in raise () from /lib/x86_64-linux-gnu/libc.so.6
#1 0x00007f8a5c931448 in abort () from /lib/x86_64-linux-gnu/libc.so.6
#2 0x00007f8a5c96e1b4 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#3 0x00007f8a5c97398e in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#4 0x00007f8a5c974696 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#5 0x000055dda631e615 in lsp_clear_data (lsp=lsp@entry=0x55dda73daaa0) at isis_lsp.c:123
#6 0x000055dda631e731 in lsp_destroy (lsp=0x55dda73daaa0) at isis_lsp.c:154
#7 0x000055dda6322ea9 in lsp_tick (thread=) at isis_lsp.c:2670
#8 0x00007f8a5d74539d in thread_call (thread=0x7ffde5c4a0c8) at thread.c:1462
#9 0x000055dda631d070 in main (argc=4, argv=, envp=) at isis_main.c:390
(gdb)

[6:35]

2016/12/14 23:27:32.188829 ISIS: lan hello on non broadcast circuit
2016/12/14 23:27:32.189054 ISIS: %ADJCHANGE: Adjacency to 1921.6810.0009 (swp1) changed from Unknown to Initializing, unspecified
2016/12/14 23:27:32.189064 ISIS: %ADJCHANGE: Adjacency to 1921.6810.0009 (swp1) changed from Initializing to Up, unspecified
2016/12/14 23:27:37.186777 ISIS: ISIS-Upd (FOO): LSP 0000.0000.0000.00-00 seq 0x00000001 with confused checksum received.
2016/12/14 23:27:37.186876 ISIS: ISIS-Spf: TENT is empty SPF-root:r10
2016/12/14 23:27:37.247257 ISIS: ISIS-Upd (FOO): LSP 1921.6810.0009.00-00 invalid LSP is type 0
2016/12/14 23:27:49.675359 ISIS: ISIS-Spf: TENT is empty SPF-root:r10
2016/12/14 23:27:50.250427 ISIS: ISIS-Spf: TENT is empty SPF-root:r10
2016/12/14 23:27:51.189042 ISIS: ISIS-Spf: TENT is empty SPF-root:r10
2016/12/14 23:28:02.189823 ISIS: ISIS-Spf: TENT is empty SPF-root:r10
2016/12/14 23:28:03.252071 ISIS: ISIS-Spf: TENT is empty SPF-root:r10
2016/12/14 23:28:38.532282 ISIS: ISIS-Upd (FOO): L1 LSP 0000.0000.0000.00-00 seq 0x00000001 aged out
2016/12/14 23:30:39.319943 ZEBRA: client 12 disconnected. 9 isis routes removed from the rib
2016/12/14 23:31:09.433950 ZEBRA: Terminating on signal
2016/12/14 23:31:09.433991 ZEBRA: IRDP: Received shutdown notification.

[6:35]

 r6 ---- r9 --- r10
 |\      |       |
 | \     |       |
 |  \    r8 --- r11
 |   r7
 r5  |
 | \ |
 |  r3 --- r2
 | /        |
 r4        r1

[6:36]
In the above topology we are seeing crashes in isis on r11, r4, and r7

[6:36]
config on r10:

[6:37]

interface lo
ip router isis FOO
isis circuit-type level-1
isis passive
!
interface swp1
ip router isis FOO
isis circuit-type level-1
isis network point-to-point
!
interface swp2
ip router isis FOO
isis circuit-type level-1
isis network point-to-point
!
router isis FOO
net 49.0003.1921.6810.0010.00
metric-style wide
is-type level-1
log-adjacency-changes
!```

[6:37]  
oh yeah crash on r10 aswell

The text was updated successfully, but these errors were encountered:

eqvinox · 2016-12-16T18:09:14Z

do we have some pcap files for this?

donaldsharp · 2017-01-03T19:45:26Z

output.swp2.pcap.gz
output.swp1.pcap.gz

Multiple iterations of the crash hopefully included in the 2 pcap files. This is on r11

donaldsharp · 2017-01-05T23:42:53Z

Valgrind caught it this time:

==7946== Invalid free() / delete / delete[] / realloc()
==7946== at 0x4C29E90: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==7946== by 0x119634: lsp_clear_data (isis_lsp.c:119)
==7946== by 0x119750: lsp_destroy (isis_lsp.c:150)
==7946== by 0x11DEC8: lsp_tick (isis_lsp.c:2639)
==7946== by 0x4E611CB: thread_call (thread.c:1442)
==7946== by 0x11808F: main (isis_main.c:389)
==7946== Address 0x7d94fdc is 28 bytes inside a block of size 43 alloc'd
==7946== at 0x4C28C20: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==7946== by 0x4E7E9B8: qmalloc (memory.c:61)
==7946== by 0x4E69901: stream_new (stream.c:105)
==7946== by 0x4E69AB3: stream_dup (stream.c:149)
==7946== by 0x11990B: lsp_update_data (isis_lsp.c:485)
==7946== by 0x11A579: lsp_update (isis_lsp.c:554)
==7946== by 0x12628F: process_lsp (isis_pdu.c:1526)
==7946== by 0x12679F: isis_handle_pdu (isis_pdu.c:2116)
==7946== by 0x12679F: isis_receive (isis_pdu.c:2157)
==7946== by 0x4E611CB: thread_call (thread.c:1442)
==7946== by 0x11808F: main (isis_main.c:389)
==7946==
==7946== Invalid free() / delete / delete[] / realloc()
==7946== at 0x4C29E90: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==7946== by 0x119657: lsp_clear_data (isis_lsp.c:121)
==7946== by 0x119750: lsp_destroy (isis_lsp.c:150)
==7946== by 0x11DEC8: lsp_tick (isis_lsp.c:2639)
==7946== by 0x4E611CB: thread_call (thread.c:1442)
==7946== by 0x11808F: main (isis_main.c:389)
==7946== Address 0x7d94fe7 is 39 bytes inside a block of size 43 alloc'd
==7946== at 0x4C28C20: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==7946== by 0x4E7E9B8: qmalloc (memory.c:61)
==7946== by 0x4E69901: stream_new (stream.c:105)
==7946== by 0x4E69AB3: stream_dup (stream.c:149)
==7946== by 0x11990B: lsp_update_data (isis_lsp.c:485)
==7946== by 0x11A579: lsp_update (isis_lsp.c:554)
==7946== by 0x12628F: process_lsp (isis_pdu.c:1526)
==7946== by 0x12679F: isis_handle_pdu (isis_pdu.c:2116)
==7946== by 0x12679F: isis_receive (isis_pdu.c:2157)
==7946== by 0x4E611CB: thread_call (thread.c:1442)
==7946== by 0x11808F: main (isis_main.c:389)
==7946==

donaldsharp · 2017-01-05T23:54:24Z

So in isis_tlv.c we have this:

case DYNAMIC_HOSTNAME:
  *found |= TLVFLAG_DYN_HOSTNAME;

#ifdef EXTREME_TLV_DEBUG
zlog_debug ("ISIS-TLV (%s): Dynamic Hostname length %d",
areatag, length);
#endif /* EXTREME_TLV_DEBUG */
if (expected & TLVFLAG_DYN_HOSTNAME)
{
/ the length is also included in the pointed struct */
tlvs->hostname = (struct hostname *) (pnt - 1);
}
pnt += length;
break;

pnt is set off the stream_dup that lsp->pdu is set from, but we have a lsp->own_lsp set to true hence the crash.

donaldsharp · 2017-01-06T00:50:10Z

Commit 4fedc05 addresses the issue from happening. But I would like to see Christian comment on the further debugging I provided before closing to see if he thinks what he has done has sufficiently closed the loop holes.

donaldsharp · 2017-01-06T01:01:29Z

actually I was wrong, I just happened to recheck my test setup and am seeing the same core files.

donaldsharp · 2017-01-06T20:15:04Z

Resolved via 07f2fb1

* commit '4709b4faa43907ed9fcaf5920e56b6664f0523cf': bgpd: peer hash expands until we are out of memory

Signed-off-by: Daniel Walton <dwalton@cumulusnetworks.com> Reviewed-by: Donald Sharp <sharpd@cumulusnetworks.com> Ticket: CM-17175 If you are doing multipath in a VRF and bounce one of the multipaths for a prefix, bgp is not updating the zebra entry for that prefix with the new multipaths. We start with: cel-redxp-10# show bgp vrf RED ipv4 unicast 6.0.0.16/32 BGP routing table entry for 6.0.0.16/32 Paths: (4 available, best #4, table RED) Advertised to non peer-group peers: spine-1(swp1) spine-2(swp2) spine-3(swp3) spine-4(swp4) 104 65104 65002 fe80::202:ff:fe00:2d from spine-4(swp4) (6.0.0.12) (fe80::202:ff:fe00:2d) (used) Origin incomplete, localpref 100, valid, external, multipath, bestpath-from-AS 104 AddPath ID: RX 0, TX 21 Last update: Tue Aug 1 18:28:33 2017 102 65104 65002 fe80::202:ff:fe00:25 from spine-2(swp2) (6.0.0.10) (fe80::202:ff:fe00:25) (used) Origin incomplete, localpref 100, valid, external, multipath, bestpath-from-AS 102 AddPath ID: RX 0, TX 20 Last update: Tue Aug 1 18:28:33 2017 103 65104 65002 fe80::202:ff:fe00:29 from spine-3(swp3) (6.0.0.11) (fe80::202:ff:fe00:29) (used) Origin incomplete, localpref 100, valid, external, multipath, bestpath-from-AS 103 AddPath ID: RX 0, TX 17 Last update: Tue Aug 1 18:28:33 2017 101 65104 65002 fe80::202:ff:fe00:21 from spine-1(swp1) (6.0.0.9) (fe80::202:ff:fe00:21) (used) Origin incomplete, localpref 100, valid, external, multipath, bestpath-from-AS 101, best AddPath ID: RX 0, TX 8 Last update: Tue Aug 1 18:28:33 2017 cel-redxp-10# cel-redxp-10# show ip route vrf RED 6.0.0.16/32 Routing entry for 6.0.0.16/32 Known via "bgp", distance 20, metric 0, vrf RED, best Last update 00:00:25 ago * fe80::202:ff:fe00:21, via swp1 * fe80::202:ff:fe00:25, via swp2 * fe80::202:ff:fe00:29, via swp3 * fe80::202:ff:fe00:2d, via swp4 cel-redxp-10# And then on spine-1 we bounce all peers spine-1# clear ip bgp * spine-1# On the leaf (cel-redxp-10) we remove the route from spine-1 cel-redxp-10# show ip route vrf RED 6.0.0.16/32 Routing entry for 6.0.0.16/32 Known via "bgp", distance 20, metric 0, vrf RED, best Last update 00:00:01 ago * fe80::202:ff:fe00:25, via swp2 * fe80::202:ff:fe00:29, via swp3 * fe80::202:ff:fe00:2d, via swp4 cel-redxp-10# So far so good. The problem is when the session to spine-1 comes back up bgp will mark the flag from spine-1 as multipath but does not update zebra. We end up in a state where BGP has 4 paths flags as multipath but only 3 paths are in the RIB.

Signed-off-by: Daniel Walton <dwalton@cumulusnetworks.com> If you are doing multipath in a VRF and bounce one of the multipaths for a prefix, bgp is not updating the zebra entry for that prefix with the new multipaths. We start with: cel-redxp-10# show bgp vrf RED ipv4 unicast 6.0.0.16/32 BGP routing table entry for 6.0.0.16/32 Paths: (4 available, best #4, table RED) Advertised to non peer-group peers: spine-1(swp1) spine-2(swp2) spine-3(swp3) spine-4(swp4) 104 65104 65002 fe80::202:ff:fe00:2d from spine-4(swp4) (6.0.0.12) (fe80::202:ff:fe00:2d) (used) Origin incomplete, localpref 100, valid, external, multipath, bestpath-from-AS 104 AddPath ID: RX 0, TX 21 Last update: Tue Aug 1 18:28:33 2017 102 65104 65002 fe80::202:ff:fe00:25 from spine-2(swp2) (6.0.0.10) (fe80::202:ff:fe00:25) (used) Origin incomplete, localpref 100, valid, external, multipath, bestpath-from-AS 102 AddPath ID: RX 0, TX 20 Last update: Tue Aug 1 18:28:33 2017 103 65104 65002 fe80::202:ff:fe00:29 from spine-3(swp3) (6.0.0.11) (fe80::202:ff:fe00:29) (used) Origin incomplete, localpref 100, valid, external, multipath, bestpath-from-AS 103 AddPath ID: RX 0, TX 17 Last update: Tue Aug 1 18:28:33 2017 101 65104 65002 fe80::202:ff:fe00:21 from spine-1(swp1) (6.0.0.9) (fe80::202:ff:fe00:21) (used) Origin incomplete, localpref 100, valid, external, multipath, bestpath-from-AS 101, best AddPath ID: RX 0, TX 8 Last update: Tue Aug 1 18:28:33 2017 cel-redxp-10# cel-redxp-10# show ip route vrf RED 6.0.0.16/32 Routing entry for 6.0.0.16/32 Known via "bgp", distance 20, metric 0, vrf RED, best Last update 00:00:25 ago * fe80::202:ff:fe00:21, via swp1 * fe80::202:ff:fe00:25, via swp2 * fe80::202:ff:fe00:29, via swp3 * fe80::202:ff:fe00:2d, via swp4 cel-redxp-10# And then on spine-1 we bounce all peers spine-1# clear ip bgp * spine-1# On the leaf (cel-redxp-10) we remove the route from spine-1 cel-redxp-10# show ip route vrf RED 6.0.0.16/32 Routing entry for 6.0.0.16/32 Known via "bgp", distance 20, metric 0, vrf RED, best Last update 00:00:01 ago * fe80::202:ff:fe00:25, via swp2 * fe80::202:ff:fe00:29, via swp3 * fe80::202:ff:fe00:2d, via swp4 cel-redxp-10# So far so good. The problem is when the session to spine-1 comes back up bgp will mark the flag from spine-1 as `multipath` but does not update zebra. We end up in a state where BGP has 4 paths flags as multipath but only 3 paths are in the RIB.

More error stuff

Some bgp evpn memory contexts are not freed at the end of the bgp process. > ================================================================= > ==1208677==ERROR: LeakSanitizer: detected memory leaks > > Direct leak of 96 byte(s) in 2 object(s) allocated from: > #0 0x7f93ad4b4a57 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 > FRRouting#1 0x7f93ace77233 in qcalloc lib/memory.c:106 > FRRouting#2 0x563bb68f4df1 in process_type5_route bgpd/bgp_evpn.c:5084 > FRRouting#3 0x563bb68fb663 in bgp_nlri_parse_evpn bgpd/bgp_evpn.c:6302 > FRRouting#4 0x563bb69ea2a9 in bgp_nlri_parse bgpd/bgp_packet.c:347 > FRRouting#5 0x563bb69f7716 in bgp_update_receive bgpd/bgp_packet.c:2482 > FRRouting#6 0x563bb6a04d3b in bgp_process_packet bgpd/bgp_packet.c:4091 > FRRouting#7 0x7f93acf8082d in event_call lib/event.c:1996 > FRRouting#8 0x7f93ace48931 in frr_run lib/libfrr.c:1232 > FRRouting#9 0x563bb6880ae1 in main bgpd/bgp_main.c:557 > FRRouting#10 0x7f93ac829d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 Actually, the bgp evpn context may noy be used if adj rib in is unused. This may lead to memory leaks. Fix this by freeing the context in those corner cases. Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>

When running the bgp_evpn_rt5 setup with unified config, memory leak about a non deleted BGP instance happens. > root@ubuntu2204hwe:~/frr/tests/topotests/bgp_evpn_rt5# cat /tmp/topotests/bgp_evpn_rt5.test_bgp_evpn/r1.asan.bgpd.1164105 > > ================================================================= > ==1164105==ERROR: LeakSanitizer: detected memory leaks > > Indirect leak of 12496 byte(s) in 1 object(s) allocated from: > #0 0x7f358eeb4a57 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 > FRRouting#1 0x7f358e877233 in qcalloc lib/memory.c:106 > FRRouting#2 0x55d06c95680a in bgp_create bgpd/bgpd.c:3405 > FRRouting#3 0x55d06c95a7b3 in bgp_get bgpd/bgpd.c:3805 > FRRouting#4 0x55d06c87a9b5 in bgp_get_vty bgpd/bgp_vty.c:603 > FRRouting#5 0x55d06c68dc71 in bgp_evpn_local_l3vni_add bgpd/bgp_evpn.c:7032 > FRRouting#6 0x55d06c92989b in bgp_zebra_process_local_l3vni bgpd/bgp_zebra.c:3204 > FRRouting#7 0x7f358e9e3feb in zclient_read lib/zclient.c:4626 > FRRouting#8 0x7f358e98082d in event_call lib/event.c:1996 > FRRouting#9 0x7f358e848931 in frr_run lib/libfrr.c:1232 > FRRouting#10 0x55d06c60eae1 in main bgpd/bgp_main.c:557 > FRRouting#11 0x7f358e229d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 Actually, a BGP VRF Instance is created in auto mode when creating the global BGP instance for the L3 VNI. And again, an other BGP VRF instance is created. Fix this by ensuring that a non existing BGP instance is not present. If it is present, and with auto mode or in hidden mode, then override the AS value. Fixes: f153b9a ("bgpd: Ignore auto created VRF BGP instances") Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>