From bc26d1bb61b56fe334f4e217e371999a5bae25b5 Mon Sep 17 00:00:00 2001
From: Sarita Patra <saritap@vmware.com>
Date: Fri, 24 Jun 2022 03:04:37 -0700
Subject: [PATCH] pimd: fix invalid memory access join_timer_stop

Issue:
==16837== Invalid read of size 8
==16837==    at 0x17971C: pim_neighbor_find (pim_neighbor.c:431)
==16837==    by 0x186439: join_timer_stop (pim_upstream.c:348)
==16837==    by 0x186794: pim_upstream_del (pim_upstream.c:231)
==16837==    by 0x189A66: pim_upstream_terminate (pim_upstream.c:1951)
==16837==    by 0x17111B: pim_instance_terminate (pim_instance.c:54)
==16837==    by 0x17111B: pim_vrf_delete (pim_instance.c:172)
==16837==    by 0x4F1D6C8: vrf_delete (vrf.c:264)
==16837==    by 0x19006F: pim_terminate (pimd.c:160)
==16837==    by 0x1B2E4D: pim_sigterm (pim_signals.c:51)
==16837==    by 0x4F08FA2: frr_sigevent_process (sigevent.c:130)
==16837==    by 0x4F1A2CC: thread_fetch (thread.c:1771)
==16837==    by 0x4ED4F92: frr_run (libfrr.c:1197)
==16837==    by 0x15D81A: main (pim_main.c:176)

Root Cause:
In the pim_terminate flow, the interface is deleted
before the pim_interface clean up. Because of this,
the pim_interface is having garbage value.

Fix:
Release the pim interface memory and then delete the
interface.

Signed-off-by: Sarita Patra <saritap@vmware.com>
---
 pimd/pim_instance.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/pimd/pim_instance.c b/pimd/pim_instance.c
index 8f117033e..a25026cef 100644
--- a/pimd/pim_instance.c
+++ b/pimd/pim_instance.c
@@ -238,5 +238,20 @@ void pim_vrf_init(void)
 
 void pim_vrf_terminate(void)
 {
+	struct vrf *vrf;
+
+	RB_FOREACH (vrf, vrf_name_head, &vrfs_by_name) {
+		struct pim_instance *pim;
+
+		pim = vrf->info;
+		if (!pim)
+			continue;
+
+		pim_ssmpingd_destroy(pim);
+		pim_instance_terminate(pim);
+
+		vrf->info = NULL;
+	}
+
 	vrf_terminate();
 }
-- 
2.39.5