Commit Graph

22 Commits

Author SHA1 Message Date
chao.an
bf6cbbca5d net/tcp: fix devif callback list corruption on tcp_close()
devif_conn_event() will be called recursively in the psock_send_eventhandler(),
if the tcp event tcp_close_eventhandler() is marked as "next" in first devif_conn_event()
and released from sencond recursive call, the "next" event in the first devif_conn_event()
will become a wild pointer.

479 uint16_t devif_conn_event(FAR struct net_driver_s *dev, uint16_t flags,
480                           FAR struct devif_callback_s *list)
481 {
482   FAR struct devif_callback_s *next;
...
488   net_lock();
489   while (list && flags)
490     {
...
496       next = list->nxtconn;  <------------------  event tcp_close_eventhandler() on next
...
500       if (list->event != NULL && devif_event_trigger(flags, list->flags))
501         {
...
507           flags = list->event(dev, list->priv, flags);  <---------------- perform  psock_send_eventhandler(), event tcp_close_eventhandler() will be remove from tcp_lost_connection()
508         }
...
512       list = next;  <---------------- event tcp_close_eventhandler() has been released, wild pointer
513     }
514
515   net_unlock();
516   return flags;
517 }

The callstack as below:

Breakpoint 1, tcp_close_eventhandler (dev=0x56607d80 <g_sim_dev>, pvpriv=0x566084a0 <g_tcp_connections>, flags=65) at tcp/tcp_close.c:83
(gdb) bt
| #0  tcp_close_eventhandler (dev=0x56607d80 <g_sim_dev>, pvpriv=0x566084a0 <g_tcp_connections>, flags=65) at tcp/tcp_close.c:83
| #1  0x5658bb57 in devif_conn_event (dev=0x56607d80 <g_sim_dev>, flags=65, list=0x56609498 <g_cbprealloc+312>) at devif/devif_callback.c:507
                    ----------------> devif_conn_event() recursively
| #2  0x56589f8c in tcp_callback (dev=0x56607d80 <g_sim_dev>, conn=0x566084a0 <g_tcp_connections>, flags=65) at tcp/tcp_callback.c:169
| #3  0x565c55e4 in tcp_shutdown_monitor (conn=0x566084a0 <g_tcp_connections>, flags=65) at tcp/tcp_monitor.c:211
| #4  0x565c584b in tcp_lost_connection (conn=0x566084a0 <g_tcp_connections>, cb=0x566094b0 <g_cbprealloc+336>, flags=65) at tcp/tcp_monitor.c:391
| #5  0x565c028a in psock_send_eventhandler (dev=0x56607d80 <g_sim_dev>, pvpriv=0x566084a0 <g_tcp_connections>, flags=65) at tcp/tcp_send_buffered.c:544
                    ----------------> call psock_send_eventhandler() before tcp_close_eventhandler()
| #6  0x5658bb57 in devif_conn_event (dev=0x56607d80 <g_sim_dev>, flags=65, list=0x566094b0 <g_cbprealloc+336>) at devif/devif_callback.c:507
| #7  0x56589f8c in tcp_callback (dev=0x56607d80 <g_sim_dev>, conn=0x566084a0 <g_tcp_connections>, flags=65) at tcp/tcp_callback.c:169
| #8  0x5658e8cc in tcp_input (dev=0x56607d80 <g_sim_dev>, domain=2 '\002', iplen=20) at tcp/tcp_input.c:1059
| #9  0x5658ed77 in tcp_ipv4_input (dev=0x56607d80 <g_sim_dev>) at tcp/tcp_input.c:1355
| #10 0x5658c0a2 in ipv4_input (dev=0x56607d80 <g_sim_dev>) at devif/ipv4_input.c:358
| #11 0x56577017 in netdriver_recv_work (arg=0x56607d80 <g_sim_dev>) at sim/up_netdriver.c:182
| #12 0x5655999e in work_thread (argc=2, argv=0xf3db5dd0) at wqueue/kwork_thread.c:178
| #13 0x5655983f in nxtask_start () at task/task_start.c:129
(gdb) c
Continuing.
Breakpoint 1, tcp_close_eventhandler (dev=0x56607d80 <g_sim_dev>, pvpriv=0x566084a0 <g_tcp_connections>, flags=65) at tcp/tcp_close.c:83
(gdb) bt
| #0  tcp_close_eventhandler (dev=0x56607d80 <g_sim_dev>, pvpriv=0x566084a0 <g_tcp_connections>, flags=65) at tcp/tcp_close.c:83
      ----------------------> "next" corrupted, invaild call tcp_close_eventhandler()
| #1  0x5658bb57 in devif_conn_event (dev=0x56607d80 <g_sim_dev>, flags=65, list=0x56609498 <g_cbprealloc+312>) at devif/devif_callback.c:507
| #2  0x56589f8c in tcp_callback (dev=0x56607d80 <g_sim_dev>, conn=0x566084a0 <g_tcp_connections>, flags=65) at tcp/tcp_callback.c:169
| #3  0x5658e8cc in tcp_input (dev=0x56607d80 <g_sim_dev>, domain=2 '\002', iplen=20) at tcp/tcp_input.c:1059
| #4  0x5658ed77 in tcp_ipv4_input (dev=0x56607d80 <g_sim_dev>) at tcp/tcp_input.c:1355
| #5  0x5658c0a2 in ipv4_input (dev=0x56607d80 <g_sim_dev>) at devif/ipv4_input.c:358
| #6  0x56577017 in netdriver_recv_work (arg=0x56607d80 <g_sim_dev>) at sim/up_netdriver.c:182
| #7  0x5655999e in work_thread (argc=2, argv=0xf3db5dd0) at wqueue/kwork_thread.c:178
| #8  0x5655983f in nxtask_start () at task/task_start.c:129
(gdb) c
Continuing.
[    2.680000] up_assert: Assertion failed at file:devif/devif_callback.c line: 85 task: lpwork

Signed-off-by: chao.an <anchao@xiaomi.com>
2022-08-30 19:41:18 +08:00
chao.an
162fcd10ca net: cleanup pvconn reference to avoid confuse
More reference:
https://github.com/apache/incubator-nuttx/pull/5252
https://github.com/apache/incubator-nuttx/pull/5434

Signed-off-by: chao.an <anchao@xiaomi.com>
2022-08-26 20:58:11 +08:00
chao.an
e749f6ca7e net/tcp/monitor: do not migrate the state to close
1. remove the unnecessary interfaces tcp_close_monitor()

socket flags(s_flags) is a global state for net connection
remove the incorrect update for stop monitor

2. do not start the tcp monitor from duplicated psock

the tcp monitor has already registered in connect callback

------------------------------------------------------------
This patch also fix the telnet issue reported by:
https://github.com/apache/incubator-nuttx/pull/5434#issuecomment-1035600651

the orignal session fd is closed after dup, the connect state
has incorrectly migrated to close:

drivers/net/telnet.c:
 977 static int telnet_session(FAR struct telnet_session_s *session)
 ...
 1031   ret = psock_dup2(psock, &priv->td_psock);
 ...
 1082   nx_close(session->ts_sd);

Signed-off-by: chao.an <anchao@xiaomi.com>
2022-02-11 18:56:40 +09:00
chao.an
8fb2468785 net/tcp: remove the socket hook reference from netdev callback
Signed-off-by: chao.an <anchao@xiaomi.com>
2022-02-10 15:04:33 -03:00
chao.an
99cde13a11 net/inet: move socket flags into socket_conn_s
Signed-off-by: chao.an <anchao@xiaomi.com>
2022-02-10 15:04:33 -03:00
Alexander Lunev
36fbedcbfc net/devif/devif_callback.c: corrected the connection event list to work as FIFO instead of LIFO.
In case of enabled packet forwarding mode, packets were forwarded in a reverse order
because of LIFO behavior of the connection event list.
The issue exposed only during high network traffic. Thus the event list started to grow
that resulted in changing the order of packets inside of groups of several packets
like the following: 3, 2, 1, 6, 5, 4, 8, 7 etc.

Remarks concerning the connection event list implementation:
* Now the queue (list) is FIFO as it should be.
* The list is singly linked.
* The list has a head pointer (inside of outer net_driver_s structure),
  and a tail pointer is added into outer net_driver_s structure.
* The list item is devif_callback_s structure.
  It still has two pointers to two different list chains (*nxtconn and *nxtdev).
* As before the first argument (*dev) of the list functions can be NULL,
  while the other argument (*list) is effective (not NULL).
* An extra (*tail) argument is added to devif_callback_alloc()
  and devif_conn_callback_free() functions.
* devif_callback_alloc() time complexity is O(1) (i.e. O(n) to fill the whole list).
* devif_callback_free() time complexity is O(n) (i.e. O(n^2) to empty the whole list).
* devif_conn_event() time complexity is O(n).
2021-09-18 21:01:39 -05:00
chao.an
9701a678bd net/tcp: add nonblock connect(2) support
Signed-off-by: chao.an <anchao@xiaomi.com>
2021-08-19 19:19:05 -07:00
Alin Jerpelea
37d5c1b0d9 net: Author Gregory Nutt: update licenses to Apache
Gregory Nutt has submitted the SGA and we can migrate the licenses
 to Apache.

Signed-off-by: Alin Jerpelea <alin.jerpelea@sony.com>
2021-02-20 00:38:18 -08:00
Xiang Xiao
bd4e8e19d3 Run codespell -w against all files
and fix the wrong correction
2020-02-22 14:45:07 -06:00
Xiang Xiao
6a3c2aded6 Fix wait loop and void cast (#24)
* Simplify EINTR/ECANCEL error handling

1. Add semaphore uninterruptible wait function
2 .Replace semaphore wait loop with a single uninterruptible wait
3. Replace all sem_xxx to nxsem_xxx

* Unify the void cast usage

1. Remove void cast for function because many place ignore the returned value witout cast
2. Replace void cast for variable with UNUSED macro
2020-01-02 10:54:43 -06:00
Gregory Nutt
f6b00e1966 tools/nxstyle.c: Fix logic error that prevent detecion of '/' and '/=' as operators. net/: Minor updates resulting from testing tools/nxstyle. 2019-03-11 12:48:39 -06:00
Gregory Nutt
88130a996a net/: Fixes for more coding standard issues detected by nxstyle. 2018-10-29 18:00:30 -06:00
zhangyuan7
da1a323f34 net/tcp/tcp_monitor.c: Fix net unlock issue when tcp close. This bug could leave the net locked. 2018-08-26 14:32:06 -06:00
Gregory Nutt
b54ffe858a Standardization of some function headers. 2018-03-13 09:52:27 -06:00
Gregory Nutt
251924a734 Squashed commit of the following:
net/tcp:  Add logic to send probes when SO_KEEPALIVE is enabled.
    net/tcp:  TCP socket should not have to be connected to configure KeepAlive.
    net/: Add a separate configuration to enable/disable KEEPALIVE socket options.
    net/tcp: Arguments to TCP keep-alive timing functions probably should be struct timeval as are the times for other time-related socket options.
    net/tcp:  Fix a backward conditional
    net/tcp:  Add some more checks and debug output to TCP-protocol socket options.
    net/tcp:  Cosmetic changes to some alignment.
    net/:  Adds socket options needed to manage TCP-keepalive and TCP state machine logic to detect if that the remote peer is alive.  Still missing the timer poll logic to send the keep-alive probes and the state machine logic to respond to probes.
2018-03-12 10:59:46 -06:00
Gregory Nutt
5ffd034f40 TCP Networking: When CONFIG_NET_TCP_WRITE_BUFF=y there is a situation where a NULL pointer may be dereferenced. In this configuration, the TCP connection's 'semi-permnanent' callback, s_sndcb was nullified in tcp_close_disconnect. However, other logic in tcp_lost_connection() attempt to use that callback reference after it was nullifed. Fixed in tcp_lost_connectino() by adding a NULL pointer change before the access. This was reported by Dmitriy Linikov in Bitbucket Issue 72. 2017-10-13 06:47:40 -06:00
Gregory Nutt
04ad162540 Networking: Clean up some naming that has bothered me for a long time... There are no interrupts and no interrupt handlers in the network. There are events and event handler (there used to to be interrupt logic in there years ago but that is long, long gone). 2017-08-29 14:08:04 -06:00
Gregory Nutt
171d183e8e Networking: A placeholder for some missing logic in the previous change related to monitoring network status for dup'ed sockets. If one of the dup'ed socket's is closed, then network monitor resources associated with that one socket must be recovered. Also, in the event that socket is being used on one thread, but then closed on another, any threads waiting for events from the socket should be informed of the closure. That latter requirement is not implemented because current data structures do not support it. 2017-08-29 13:24:49 -06:00
Gregory Nutt
0f7a52bc28 Networking: Fix a runaway recursion problem introduced the previous fixe for shutting down dup'ed sockets. 2017-08-29 12:27:58 -06:00
Gregory Nutt
d40ee8e79d Networking: Start the network monitor for a socket when a TCP socket is dup'ed. 2017-08-29 10:53:04 -06:00
Gregory Nutt
9db65dea78 Networking: TCP disconnection callbacks are not retained in a list. This will support mutiple callbacks per lower-level TCP connection structure. That is necessary for the cae where a socket is dup'ed and shares the same lower-level connection structure. NOTE: There still needs to be a call to tcp_start_monitor() when the socket is dup'ed. 2017-08-29 10:38:01 -06:00
Gregory Nutt
92f44c5607 Networking: Move net/inet/net_monitor.c to net/tcp/tcp_monitor.c in preparation for design change to fix monitoring of duplicated sockets. 2017-08-29 08:40:13 -06:00