-
Notifications
You must be signed in to change notification settings - Fork 6.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
net_buf issue leads to unwanted elem free #38829
Labels
bug
The issue is a bug, or the PR is fixing a bug
Comments
XavierChapron
pushed a commit
to XavierChapron/zephyr
that referenced
this issue
Sep 24, 2021
net_buf elements are used in net_pool which are based on lifo implementation. Yet, net_buf structure doesn't respect lifo requierement that the first word must be reserved for the lifo kernel implementation. In most cases, this is fine as this word is mostly accessed when the element is not allocated, however, this is not always true. In such situation, node element is written, ehnce frags element value is not NULL anymore and anything might happen... This fixes zephyrproject-rtos#38829 issue. Signed-off-by: Xavier Chapron <[email protected]>
This is a eventually a duplicate of #32579. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
Current
net_buf
structure shared the first word in a union betweensys_snode_t node;
andstruct net_buf *frags;
.This has been introduced a very long time ago : 553af7c
However,
net_buf
allocation are handled by a LIFO, and the current documentation ofk_lifo_put()
, clearly states that the first word of the element must be reserved for the kernel, which is not the case here.zephyr/include/kernel.h
Line 2302 in 2637c0e
It appears, that this shared first word works great in many cases as the kernel mostly use it only when the element is in the queue and therefore the element is not allocated at this time.
However, in a edge case (probably when the queue is empty and a new element is added), the last element is modified, even if it is currently in used.
At that moment, the value of
node
is written, hence thefrags
value is notNULL
anymore, and bad things happens in my use case.To Reproduce
I've currently see this using mcumgr and smp_bt, however I expect it might be reproducible more easily when the edge case as been localized more accurately.
Impact
On my case, this leads to a mess in the net_buf pool, that leads to bt_conn ref not being properly released, witch means
bt_le_adv_resume()
is never called inbt_conn_unref()
.Environment:
net_buf
norqueue
implementations s changed since, I really thinkmain
is also affected.The text was updated successfully, but these errors were encountered: