From a24dae86e1a03e2809aaaf4c7721e3c3289fc6da Mon Sep 17 00:00:00 2001
From: Donald Sharp <sharpd@cumulusnetworks.com>
Date: Sat, 20 May 2017 08:22:23 -0400
Subject: bgpd: Fix crash when going down

When bgp is sent a SIGINT signal with vrf's configured
bgp proceeds to crash on the way down.  This is because
the bm->bgp list was deleted( but the pointer was kept around)
and then later in the going down process vrf_terminate is called
which attempts to find any associated processes.  Since memory
has been freed and subsuquently used for something else
we get a corrupt bgp pointer and bgp crashes.

Here is the trace:

(gdb) bt
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
    at sigevent.c:255
    at thread.c:1315
(gdb)

Multiple protocols besides bgp and zebra running are needed to make
this happen as well.  So a weird timing related issue?

Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>
---
 bgpd/bgp_main.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'bgpd/bgp_main.c')

diff --git a/bgpd/bgp_main.c b/bgpd/bgp_main.c
index 8714820e2..9fcbff0f5 100644
--- a/bgpd/bgp_main.c
+++ b/bgpd/bgp_main.c
@@ -194,7 +194,6 @@ bgp_exit (int status)
   /* reverse bgp_master_init */
   for (ALL_LIST_ELEMENTS (bm->bgp, node, nnode, bgp))
     bgp_delete (bgp);
-  list_free (bm->bgp);
 
   /* reverse bgp_dump_init */
   bgp_dump_finish ();
@@ -246,6 +245,7 @@ bgp_exit (int status)
 
   closezlog ();
 
+  list_delete (bm->bgp);
   memset (bm, 0, sizeof (*bm));
 
   if (bgp_debug_count())
-- 
cgit v1.2.3