bgpd, lib, zebra: Switch to work_queue_free_and_null

The work_queue_free function free'd up the wq pointer but did not set it too NULL. This of course causes situations where we may use the work_queue after it is freed. Let's modify the work_queue to set the pointer for you. Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>
2025-08-14 04:26:12 +00:00 · 2018-02-05 10:40:09 -05:00 · 2018-02-05 10:40:09 -05:00 · e208c8f943
commit e208c8f943
parent c67667e74c
6 changed files with 32 additions and 18 deletions
--- a/bgpd/bgpd.c
+++ b/bgpd/bgpd.c
@ -1079,10 +1079,8 @@ static void peer_free(struct peer *peer)
 		XFREE(MTYPE_TMP, peer->notify.data);
 	memset(&peer->notify, 0, sizeof(struct bgp_notify));

-	if (peer->clear_node_queue) {
-		work_queue_free(peer->clear_node_queue);
-		peer->clear_node_queue = NULL;
-	}
+	if (peer->clear_node_queue)
+		work_queue_free_and_null(&peer->clear_node_queue);

 	bgp_sync_delete(peer);

@ -7639,10 +7637,8 @@ void bgp_terminate(void)
 				bgp_notify_send(peer, BGP_NOTIFY_CEASE,
 						BGP_NOTIFY_CEASE_PEER_UNCONFIG);

-	if (bm->process_main_queue) {
-		work_queue_free(bm->process_main_queue);
-		bm->process_main_queue = NULL;
-	}
+	if (bm->process_main_queue)
+		work_queue_free_and_null(&bm->process_main_queue);

 	if (bm->t_rmap_update)
 		BGP_TIMER_OFF(bm->t_rmap_update);
--- a/bgpd/rfapi/rfapi_import.c
+++ b/bgpd/rfapi/rfapi_import.c
@ -4336,7 +4336,7 @@ void bgp_rfapi_destroy(struct bgp *bgp, struct rfapi *h)
 		h->import_mac = NULL;
 	}

-	work_queue_free(h->deferred_close_q);
+	work_queue_free_and_null(&h->deferred_close_q);

 	if (h->rfp != NULL)
 		rfp_stop(h->rfp);
--- a/bgpd/rfapi/rfapi_rib.c
+++ b/bgpd/rfapi/rfapi_rib.c
@ -571,10 +571,8 @@ void rfapiRibClear(struct rfapi_descriptor *rfd)
 			}
 		}
 	}
-	if (rfd->updated_responses_queue) {
-		work_queue_free(rfd->updated_responses_queue);
-		rfd->updated_responses_queue = NULL;
-	}
+	if (rfd->updated_responses_queue)
+		work_queue_free_and_null(&rfd->updated_responses_queue);
 }

 /*
--- a/lib/workqueue.c
+++ b/lib/workqueue.c
@ -101,7 +101,7 @@ struct work_queue *work_queue_new(struct thread_master *m,
 	return new;
 }

-void work_queue_free(struct work_queue *wq)
+void work_queue_free_original(struct work_queue *wq)
 {
 	if (wq->thread != NULL)
 		thread_cancel(wq->thread);
@ -119,6 +119,12 @@ void work_queue_free(struct work_queue *wq)
 	return;
 }

+void work_queue_free_and_null(struct work_queue **wq)
+{
+	work_queue_free_original(*wq);
+	*wq = NULL;
+}
+
 bool work_queue_is_scheduled(struct work_queue *wq)
 {
 	return (wq->thread != NULL);
--- a/lib/workqueue.h
+++ b/lib/workqueue.h
@ -28,7 +28,7 @@
 DECLARE_MTYPE(WORK_QUEUE)

 /* Hold time for the initial schedule of a queue run, in  millisec */
-#define WORK_QUEUE_DEFAULT_HOLD  50 
+#define WORK_QUEUE_DEFAULT_HOLD 50

 /* action value, for use by item processor and item error handlers */
 typedef enum {
@ -148,8 +148,22 @@ static inline void work_queue_item_dequeue(struct work_queue *wq,
 * anything to it
 */
 extern struct work_queue *work_queue_new(struct thread_master *, const char *);
+
 /* destroy work queue */
-extern void work_queue_free(struct work_queue *);
+/*
+ * The usage of work_queue_free is being transitioned to pass
+ * in the double pointer to remove use after free's.
+ */
+#if CONFDATE > 20190205
+CPP_NOTICE("work_queue_free without double pointer is deprecated, please fixup")
+#endif
+extern void work_queue_free_and_null(struct work_queue **);
+extern void work_queue_free_original(struct work_queue *);
+#define work_queue_free(X)                                                     \
+	do {                                                                   \
+		work_queue_free_original((X));                                 \
+		CPP_WARN("Please use work_queue_free_and_null");               \
+	} while (0)

 /* Add the supplied data as an item onto the workqueue */
 extern void work_queue_add(struct work_queue *, void *);
--- a/zebra/main.c
+++ b/zebra/main.c
@ -140,7 +140,7 @@ static void sigint(void)
 				SET_FLAG(zvrf->flags, ZEBRA_VRF_RETAIN);
 		}
 	if (zebrad.lsp_process_q)
-		work_queue_free(zebrad.lsp_process_q);
+		work_queue_free_and_null(&zebrad.lsp_process_q);
 	vrf_terminate();

 	ns_walk_func(zebra_ns_disabled);
@ -151,7 +151,7 @@ static void sigint(void)
 	route_map_finish();

 	list_delete_and_null(&zebrad.client_list);
-	work_queue_free(zebrad.ribq);
+	work_queue_free_and_null(&zebrad.ribq);
 	meta_queue_free(zebrad.mq);

 	frr_fini();