[vpp-dev] Linux CP: crash in lcp_node.c

Tue, 24 Aug 2021 02:47:19 -0700 

Hoi,

I've noticed that when a linuxcp enabled VPP 21.06 with multiple threads
receives many ARP requests, eventually it crashes in lcp_arp_phy_node in
lcp_node.c:675 and :775 because we do a vlib_buffer_copy() which returns
NULL, after which we try to dereference the result. How to repro:
1) create a few interfaces/subints and give them IP addresses in Linux and
VPP. I made 5 phy subints and 5 subints on a bondethernet.
2) rapidly fping the Linux CP and at the same time continuously flush the
neighbor cache on the Linux namespace:
On the vpp machine in 'dataplane' namespace:
  while :; do ip nei flush all; done
On a Linux machine connected to VPP:
  while :; do fping -c 10000 -B 1 -p 10 10.1.1.2 10.1.2.2 10.1.3.2 10.1.4.2
10.1.5.2 10.0.1.2 10.0.2.2 10.0.3.2 10.0.4.2 10.0.5.2 2001:db8:1:1::2
2001:db8:1:2::2 2001:db8:1:3::2 2001:db8:1:4::2 2001:db8:1:5::2
2001:db8:0:1::2 2001:db8:0:2::2 2001:db8:0:3::2 2001:db8:0:4::2
2001:db8:0:5::2; done

VPP will now be seeing lots of ARP traffic to and from the host. After a
while, c0 or c1 from lcp_node.c:675 and lcp_node.c:775 will be NULL and
cause a crash.
I temporarily worked around this by simply adding:

@@ -675,6 +675,10 @@ VLIB_NODE_FN (lcp_arp_phy_node)

                  c0 = vlib_buffer_copy (vm, b0);

                  vlib_buffer_advance (b0, len0);



+                 // pim(2021-08-24) -- address SIGSEGV when copy returns
NULL

+                 if (!c0)

+                   continue;

+

                  /* Send to the host */

                  vnet_buffer (c0)->sw_if_index[VLIB_TX] =

                    lip0->lip_host_sw_if_index;

but I'm not very comfortable in this part of VPP, and I'm sure there's a
better way to catch the buffer copy failing? I haven't quite understood
this code yet, but shouldn't we free c0 and c1 in these functions? It seems
that when I'm doing my rapid ping/arp/flush exercise above, VPP is slowly
consuming more memory (as seen by show memory main-heap; all 4 threads are
monotonously growing by a few hundred kB per minute of runtime).

If somebody could help me take a look, I'd appreciate it.

groet,
Pim
-- 
Pim van Pelt <p...@ipng.nl>
PBVP1-RIPE - http://www.ipng.nl/

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#20013): https://lists.fd.io/g/vpp-dev/message/20013
Mute This Topic: https://lists.fd.io/mt/85107134/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to