nuttx/net
chao.an bf6cbbca5d net/tcp: fix devif callback list corruption on tcp_close()
devif_conn_event() will be called recursively in the psock_send_eventhandler(),
if the tcp event tcp_close_eventhandler() is marked as "next" in first devif_conn_event()
and released from sencond recursive call, the "next" event in the first devif_conn_event()
will become a wild pointer.

479 uint16_t devif_conn_event(FAR struct net_driver_s *dev, uint16_t flags,
480                           FAR struct devif_callback_s *list)
481 {
482   FAR struct devif_callback_s *next;
...
488   net_lock();
489   while (list && flags)
490     {
...
496       next = list->nxtconn;  <------------------  event tcp_close_eventhandler() on next
...
500       if (list->event != NULL && devif_event_trigger(flags, list->flags))
501         {
...
507           flags = list->event(dev, list->priv, flags);  <---------------- perform  psock_send_eventhandler(), event tcp_close_eventhandler() will be remove from tcp_lost_connection()
508         }
...
512       list = next;  <---------------- event tcp_close_eventhandler() has been released, wild pointer
513     }
514
515   net_unlock();
516   return flags;
517 }

The callstack as below:

Breakpoint 1, tcp_close_eventhandler (dev=0x56607d80 <g_sim_dev>, pvpriv=0x566084a0 <g_tcp_connections>, flags=65) at tcp/tcp_close.c:83
(gdb) bt
| #0  tcp_close_eventhandler (dev=0x56607d80 <g_sim_dev>, pvpriv=0x566084a0 <g_tcp_connections>, flags=65) at tcp/tcp_close.c:83
| #1  0x5658bb57 in devif_conn_event (dev=0x56607d80 <g_sim_dev>, flags=65, list=0x56609498 <g_cbprealloc+312>) at devif/devif_callback.c:507
                    ----------------> devif_conn_event() recursively
| #2  0x56589f8c in tcp_callback (dev=0x56607d80 <g_sim_dev>, conn=0x566084a0 <g_tcp_connections>, flags=65) at tcp/tcp_callback.c:169
| #3  0x565c55e4 in tcp_shutdown_monitor (conn=0x566084a0 <g_tcp_connections>, flags=65) at tcp/tcp_monitor.c:211
| #4  0x565c584b in tcp_lost_connection (conn=0x566084a0 <g_tcp_connections>, cb=0x566094b0 <g_cbprealloc+336>, flags=65) at tcp/tcp_monitor.c:391
| #5  0x565c028a in psock_send_eventhandler (dev=0x56607d80 <g_sim_dev>, pvpriv=0x566084a0 <g_tcp_connections>, flags=65) at tcp/tcp_send_buffered.c:544
                    ----------------> call psock_send_eventhandler() before tcp_close_eventhandler()
| #6  0x5658bb57 in devif_conn_event (dev=0x56607d80 <g_sim_dev>, flags=65, list=0x566094b0 <g_cbprealloc+336>) at devif/devif_callback.c:507
| #7  0x56589f8c in tcp_callback (dev=0x56607d80 <g_sim_dev>, conn=0x566084a0 <g_tcp_connections>, flags=65) at tcp/tcp_callback.c:169
| #8  0x5658e8cc in tcp_input (dev=0x56607d80 <g_sim_dev>, domain=2 '\002', iplen=20) at tcp/tcp_input.c:1059
| #9  0x5658ed77 in tcp_ipv4_input (dev=0x56607d80 <g_sim_dev>) at tcp/tcp_input.c:1355
| #10 0x5658c0a2 in ipv4_input (dev=0x56607d80 <g_sim_dev>) at devif/ipv4_input.c:358
| #11 0x56577017 in netdriver_recv_work (arg=0x56607d80 <g_sim_dev>) at sim/up_netdriver.c:182
| #12 0x5655999e in work_thread (argc=2, argv=0xf3db5dd0) at wqueue/kwork_thread.c:178
| #13 0x5655983f in nxtask_start () at task/task_start.c:129
(gdb) c
Continuing.
Breakpoint 1, tcp_close_eventhandler (dev=0x56607d80 <g_sim_dev>, pvpriv=0x566084a0 <g_tcp_connections>, flags=65) at tcp/tcp_close.c:83
(gdb) bt
| #0  tcp_close_eventhandler (dev=0x56607d80 <g_sim_dev>, pvpriv=0x566084a0 <g_tcp_connections>, flags=65) at tcp/tcp_close.c:83
      ----------------------> "next" corrupted, invaild call tcp_close_eventhandler()
| #1  0x5658bb57 in devif_conn_event (dev=0x56607d80 <g_sim_dev>, flags=65, list=0x56609498 <g_cbprealloc+312>) at devif/devif_callback.c:507
| #2  0x56589f8c in tcp_callback (dev=0x56607d80 <g_sim_dev>, conn=0x566084a0 <g_tcp_connections>, flags=65) at tcp/tcp_callback.c:169
| #3  0x5658e8cc in tcp_input (dev=0x56607d80 <g_sim_dev>, domain=2 '\002', iplen=20) at tcp/tcp_input.c:1059
| #4  0x5658ed77 in tcp_ipv4_input (dev=0x56607d80 <g_sim_dev>) at tcp/tcp_input.c:1355
| #5  0x5658c0a2 in ipv4_input (dev=0x56607d80 <g_sim_dev>) at devif/ipv4_input.c:358
| #6  0x56577017 in netdriver_recv_work (arg=0x56607d80 <g_sim_dev>) at sim/up_netdriver.c:182
| #7  0x5655999e in work_thread (argc=2, argv=0xf3db5dd0) at wqueue/kwork_thread.c:178
| #8  0x5655983f in nxtask_start () at task/task_start.c:129
(gdb) c
Continuing.
[    2.680000] up_assert: Assertion failed at file:devif/devif_callback.c line: 85 task: lpwork

Signed-off-by: chao.an <anchao@xiaomi.com>
2022-08-30 19:41:18 +08:00
..
arp net: cleanup pvconn reference to avoid confuse 2022-08-26 20:58:11 +08:00
bluetooth net: cleanup pvconn reference to avoid confuse 2022-08-26 20:58:11 +08:00
can net: cleanup pvconn reference to avoid confuse 2022-08-26 20:58:11 +08:00
devif net: cleanup pvconn reference to avoid confuse 2022-08-26 20:58:11 +08:00
icmp net: cleanup pvconn reference to avoid confuse 2022-08-26 20:58:11 +08:00
icmpv6 net: cleanup pvconn reference to avoid confuse 2022-08-26 20:58:11 +08:00
ieee802154 net: cleanup pvconn reference to avoid confuse 2022-08-26 20:58:11 +08:00
igmp net/igmp: Remove igmp_initialize 2022-03-12 19:24:17 +02:00
inet make sure conn's domain is match with addr's family 2022-07-29 13:53:19 +08:00
ipforward net: cleanup pvconn reference to avoid confuse 2022-08-26 20:58:11 +08:00
local Replace all strncpy with strlcpy for safety 2022-08-25 13:38:36 +08:00
mld net/tcp/netdev/mld: correct the netlock handling 2022-02-03 11:09:18 -03:00
neighbor net: use HTONS, NTOHS, HTONL, NTOHL macro in kernel code 2022-01-18 10:59:47 +01:00
netdev net: cleanup pvconn reference to avoid confuse 2022-08-26 20:58:11 +08:00
netlink Fix ENOENT errors when polling on Netlink socket 2022-05-14 00:35:29 +03:00
pkt net: cleanup pvconn reference to avoid confuse 2022-08-26 20:58:11 +08:00
procfs Replace all strncpy with strlcpy for safety 2022-08-25 13:38:36 +08:00
route use rmutex inside of all repeated implementation 2022-05-30 19:43:48 +08:00
rpmsg rptun: add ns_match callback to resolve rptun deadlock 2022-07-27 20:36:51 +08:00
sixlowpan net: cleanup pvconn reference to avoid confuse 2022-08-26 20:58:11 +08:00
socket net/sockopt: move BINDTODEVICE to socket level 2022-08-25 17:56:52 +08:00
tcp net/tcp: fix devif callback list corruption on tcp_close() 2022-08-30 19:41:18 +08:00
udp net: cleanup pvconn reference to avoid confuse 2022-08-26 20:58:11 +08:00
usrsock net: cleanup pvconn reference to avoid confuse 2022-08-26 20:58:11 +08:00
utils net:add btsnoop and snoop 2022-08-24 21:42:30 +08:00
Kconfig net/slip: Rename and clarify orphaned Kconfig options 2022-07-20 13:17:09 +08:00
Makefile
net_initialize.c net: Reoder the initialize sequence(mac->ip->tcp/udp) 2022-03-12 19:24:17 +02:00
README.txt

README
======

Directory Structure
===================

  nuttx/
   |
   `- net/
       |
       +- arp        - Address resolution protocol (IPv4)
       +- bluetooth  - PF_BLUETOOTH socket interface
       +- devif      - Stack/device interface layer
       +- icmp       - Internet Control Message Protocol (IPv4)
       +- icmpv6     - Internet Control Message Protocol (IPv6)
       +- ieee802154 - PF_IEEE802154 socket interface
       +- inet       - PF_INET/PF_INET6 socket interface
       +- ipforward  - IP forwarding logic
       +- local      - Unix domain (local) sockets
       +- mld        - Multicast Listener Discovery (MLD)
       +- neighbor   - Neighbor Discovery Protocol (IPv6)
       +- netdev     - Socket network device interface
       +- netlink    - Netlink IPC socket interface
       +- pkt        - "Raw" packet socket support
       +- sixlowpan  - 6LoWPAN implementation
       +- socket     - BSD socket interface
       +- route      - Routing table support
       +- tcp        - Transmission Control Protocol
       +- udp        - User Datagram Protocol
       +- usrsock    - User socket API for user-space networking stack
       `- utils      - Miscellaneous utility functions

    +-------------------------------------------------------------------++------------------------+
    |                     Application layer                             || usrsock daemon         |
    +-------------------------------------------------------------------++------------------------+
    +-------------------------------------------------------------------++----------------+ +-----+
    |                   Socket layer (socket/)                          || /dev/usrsock   | |     |
    +-------------------------------------------------------------------++----------------+ |     |
    +------------++--------------------------------------------------++-------------------+ |     |
    |  Network   || Protocol stacks (arp, ipv6, icmp, pkt, tcp, udp) || usrsock/          | |     |
    |   Device   |+--------------------------------------------------++-------------------+ |     |
    | Interface  |+------------------------------------++---------------------------------+ |     |
    | (netdev/)  ||  Network Device Interface (devif/) || Utilities                       | |     |
    +------------++------------------------------------++---------------------------------+ |     |
    +----------------------------------------------------------------+                      |     |
    |                    Network Device Drivers                      |                      | HAL |
    +----------------------------------------------------------------+                      +-----+
    +----------------------------------------------------------------+ +--------------------------+
    |                    Networking Hardware                         | |  Hardware TCP/IP Stack   |
    +----------------------------------------------------------------+ +--------------------------+