nuttx

History

chao.an bf6cbbca5d net/tcp: fix devif callback list corruption on tcp_close() devif_conn_event() will be called recursively in the psock_send_eventhandler(), if the tcp event tcp_close_eventhandler() is marked as "next" in first devif_conn_event() and released from sencond recursive call, the "next" event in the first devif_conn_event() will become a wild pointer. 479 uint16_t devif_conn_event(FAR struct net_driver_s dev, uint16_t flags, 480 FAR struct devif_callback_s list) 481 { 482 FAR struct devif_callback_s *next; ... 488 net_lock(); 489 while (list && flags) 490 { ... 496 next = list->nxtconn; <------------------ event tcp_close_eventhandler() on next ... 500 if (list->event != NULL && devif_event_trigger(flags, list->flags)) 501 { ... 507 flags = list->event(dev, list->priv, flags); <---------------- perform psock_send_eventhandler(), event tcp_close_eventhandler() will be remove from tcp_lost_connection() 508 } ... 512 list = next; <---------------- event tcp_close_eventhandler() has been released, wild pointer 513 } 514 515 net_unlock(); 516 return flags; 517 } The callstack as below: Breakpoint 1, tcp_close_eventhandler (dev=0x56607d80 <g_sim_dev>, pvpriv=0x566084a0 <g_tcp_connections>, flags=65) at tcp/tcp_close.c:83 (gdb) bt \| #0 tcp_close_eventhandler (dev=0x56607d80 <g_sim_dev>, pvpriv=0x566084a0 <g_tcp_connections>, flags=65) at tcp/tcp_close.c:83 \| #1 0x5658bb57 in devif_conn_event (dev=0x56607d80 <g_sim_dev>, flags=65, list=0x56609498 <g_cbprealloc+312>) at devif/devif_callback.c:507 ----------------> devif_conn_event() recursively \| #2 0x56589f8c in tcp_callback (dev=0x56607d80 <g_sim_dev>, conn=0x566084a0 <g_tcp_connections>, flags=65) at tcp/tcp_callback.c:169 \| #3 0x565c55e4 in tcp_shutdown_monitor (conn=0x566084a0 <g_tcp_connections>, flags=65) at tcp/tcp_monitor.c:211 \| #4 0x565c584b in tcp_lost_connection (conn=0x566084a0 <g_tcp_connections>, cb=0x566094b0 <g_cbprealloc+336>, flags=65) at tcp/tcp_monitor.c:391 \| #5 0x565c028a in psock_send_eventhandler (dev=0x56607d80 <g_sim_dev>, pvpriv=0x566084a0 <g_tcp_connections>, flags=65) at tcp/tcp_send_buffered.c:544 ----------------> call psock_send_eventhandler() before tcp_close_eventhandler() \| #6 0x5658bb57 in devif_conn_event (dev=0x56607d80 <g_sim_dev>, flags=65, list=0x566094b0 <g_cbprealloc+336>) at devif/devif_callback.c:507 \| #7 0x56589f8c in tcp_callback (dev=0x56607d80 <g_sim_dev>, conn=0x566084a0 <g_tcp_connections>, flags=65) at tcp/tcp_callback.c:169 \| #8 0x5658e8cc in tcp_input (dev=0x56607d80 <g_sim_dev>, domain=2 '\002', iplen=20) at tcp/tcp_input.c:1059 \| #9 0x5658ed77 in tcp_ipv4_input (dev=0x56607d80 <g_sim_dev>) at tcp/tcp_input.c:1355 \| #10 0x5658c0a2 in ipv4_input (dev=0x56607d80 <g_sim_dev>) at devif/ipv4_input.c:358 \| #11 0x56577017 in netdriver_recv_work (arg=0x56607d80 <g_sim_dev>) at sim/up_netdriver.c:182 \| #12 0x5655999e in work_thread (argc=2, argv=0xf3db5dd0) at wqueue/kwork_thread.c:178 \| #13 0x5655983f in nxtask_start () at task/task_start.c:129 (gdb) c Continuing. Breakpoint 1, tcp_close_eventhandler (dev=0x56607d80 <g_sim_dev>, pvpriv=0x566084a0 <g_tcp_connections>, flags=65) at tcp/tcp_close.c:83 (gdb) bt \| #0 tcp_close_eventhandler (dev=0x56607d80 <g_sim_dev>, pvpriv=0x566084a0 <g_tcp_connections>, flags=65) at tcp/tcp_close.c:83 ----------------------> "next" corrupted, invaild call tcp_close_eventhandler() \| #1 0x5658bb57 in devif_conn_event (dev=0x56607d80 <g_sim_dev>, flags=65, list=0x56609498 <g_cbprealloc+312>) at devif/devif_callback.c:507 \| #2 0x56589f8c in tcp_callback (dev=0x56607d80 <g_sim_dev>, conn=0x566084a0 <g_tcp_connections>, flags=65) at tcp/tcp_callback.c:169 \| #3 0x5658e8cc in tcp_input (dev=0x56607d80 <g_sim_dev>, domain=2 '\002', iplen=20) at tcp/tcp_input.c:1059 \| #4 0x5658ed77 in tcp_ipv4_input (dev=0x56607d80 <g_sim_dev>) at tcp/tcp_input.c:1355 \| #5 0x5658c0a2 in ipv4_input (dev=0x56607d80 <g_sim_dev>) at devif/ipv4_input.c:358 \| #6 0x56577017 in netdriver_recv_work (arg=0x56607d80 <g_sim_dev>) at sim/up_netdriver.c:182 \| #7 0x5655999e in work_thread (argc=2, argv=0xf3db5dd0) at wqueue/kwork_thread.c:178 \| #8 0x5655983f in nxtask_start () at task/task_start.c:129 (gdb) c Continuing. [ 2.680000] up_assert: Assertion failed at file:devif/devif_callback.c line: 85 task: lpwork Signed-off-by: chao.an <anchao@xiaomi.com>		2022-08-30 19:41:18 +08:00
..
Kconfig	Change dpends on SCHED_[L\|H]PWORK to SCHED_WORKQUEUE	2022-05-28 18:41:51 +03:00
Make.defs	net: fix the build when CONFIG_NET_TCP_WRITE_BUFFERS is not enabled	2022-05-18 07:54:17 +09:00
tcp_accept.c	net/inet: move socket flags into socket_conn_s	2022-02-10 15:04:33 -03:00
tcp_appsend.c	net/tcp: fix regression of invalid update the rexmit_seq in buffer mode	2022-07-12 11:04:39 +03:00
tcp_backlog.c
tcp_callback.c	net: cleanup pvconn reference to avoid confuse	2022-08-26 20:58:11 +08:00
tcp_close.c	net: cleanup pvconn reference to avoid confuse	2022-08-26 20:58:11 +08:00
tcp_conn.c	iob: Remove iob_user_e enum and related code	2022-08-15 08:41:20 +03:00
tcp_connect.c	net: cleanup pvconn reference to avoid confuse	2022-08-26 20:58:11 +08:00
tcp_devpoll.c	tcp: move wd_timer from wifi driver to tcp stack	2022-05-28 16:29:51 +08:00
tcp_dump.c	net: cleanup pvconn reference to avoid confuse	2022-08-26 20:58:11 +08:00
tcp_finddev.c
tcp_getsockopt.c	net/tcp: Use the relative value for keep alive timer	2022-05-18 18:40:41 +03:00
tcp_input.c	tcp: reset conn->nrtx when ack received	2022-08-17 21:35:09 +03:00
tcp_ioctl.c	net: tcp/udp/icmp/icmpv6 add FIONSPACE support	2022-04-02 13:39:38 +08:00
tcp_ipselect.c
tcp_listen.c	net/tcp: Remove tcp_listen_initialize	2022-03-12 19:24:17 +02:00
tcp_monitor.c	net/tcp: fix devif callback list corruption on tcp_close()	2022-08-30 19:41:18 +08:00
tcp_netpoll.c	net: cleanup pvconn reference to avoid confuse	2022-08-26 20:58:11 +08:00
tcp_notifier.c	sched/wqueue: Change the return type of work_notifier_teardown to void	2022-05-14 00:35:29 +03:00
tcp_recvfrom.c	net: cleanup pvconn reference to avoid confuse	2022-08-26 20:58:11 +08:00
tcp_recvwindow.c	net/tcp: change all window relative value type to uint32_t	2021-07-07 03:55:41 -05:00
tcp_send_buffered.c	net: cleanup pvconn reference to avoid confuse	2022-08-26 20:58:11 +08:00
tcp_send_unbuffered.c	net: cleanup pvconn reference to avoid confuse	2022-08-26 20:58:11 +08:00
tcp_send.c	net: unify FAR keyword usage for all net buffer memory mapped buffers	2022-01-20 01:42:56 +08:00
tcp_sendfile.c	net: cleanup pvconn reference to avoid confuse	2022-08-26 20:58:11 +08:00
tcp_seqno.c
tcp_setsockopt.c	tcp: move wd_timer from wifi driver to tcp stack	2022-05-28 16:29:51 +08:00
tcp_timer.c	net/tcp: Search conn list again to aovid the race condition in tcp_timer_expiry	2022-06-07 20:15:41 +03:00
tcp_txdrain.c
tcp_wrbuffer.c	iob: Remove iob_user_e enum and related code	2022-08-15 08:41:20 +03:00
tcp.h	net: cleanup pvconn reference to avoid confuse	2022-08-26 20:58:11 +08:00