Merge pull request #17139 from FRRouting/mergify/bp/stable/10.0/pr-17020

zebra: fix heap-use-after free on ns shutdown (backport #17020)

zebra/main.c

@@ -239,7 +239,7 @@ void zebra_finalize(struct event *dummy)
 	zebra_ns_notify_close();
 
 	/* Final shutdown of ns resources */
-	ns_walk_func(zebra_ns_final_shutdown, NULL, NULL);
+	ns_walk_func(zebra_ns_kernel_shutdown, NULL, NULL);
 
 	zebra_rib_terminate();
 	zebra_router_terminate();
@@ -252,6 +252,8 @@ void zebra_finalize(struct event *dummy)
 
 	label_manager_terminate();
 
+	ns_walk_func(zebra_ns_final_shutdown, NULL, NULL);
+
 	ns_terminate();
 	frr_fini();
 	exit(0);

zebra/zebra_ns.c

@@ -175,6 +175,22 @@ int zebra_ns_early_shutdown(struct ns *ns,
 	return NS_WALK_CONTINUE;
 }
 
+/* During zebra shutdown, do kernel cleanup
+ * netlink sockets, ..
+ */
+int zebra_ns_kernel_shutdown(struct ns *ns, void *param_in __attribute__((unused)),
+			     void **param_out __attribute__((unused)))
+{
+	struct zebra_ns *zns = ns->info;
+
+	if (zns == NULL)
+		return NS_WALK_CONTINUE;
+
+	kernel_terminate(zns, true);
+
+	return NS_WALK_CONTINUE;
+}
+
 /* During zebra shutdown, do final cleanup
  * after all dataplane work is complete.
  */
@@ -185,9 +201,7 @@ int zebra_ns_final_shutdown(struct ns *ns,
 	struct zebra_ns *zns = ns->info;
 
 	if (zns == NULL)
-		return 0;
-
-	kernel_terminate(zns, true);
+		return NS_WALK_CONTINUE;
 
 	zebra_ns_delete(ns);
 

zebra/zebra_ns.h

@@ -70,6 +70,8 @@ int zebra_ns_early_shutdown(struct ns *ns,
 int zebra_ns_final_shutdown(struct ns *ns,
 			    void *param_in __attribute__((unused)),
 			    void **param_out __attribute__((unused)));
+int zebra_ns_kernel_shutdown(struct ns *ns, void *param_in __attribute__((unused)),
+			     void **param_out __attribute__((unused)));
 
 void zebra_ns_startup_continue(struct zebra_dplane_ctx *ctx);