Mirrors_Framework/nuttx
1
0
Fork 0
mirror of https://github.com/apache/nuttx.git synced 2026-05-24 16:11:56 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

net/tcp: fix conn->work use after free in worker queue list

Browse Source 
in multi-core cpu, tcp_free and tcp_timer_expiry->tcp_timer will work in parallel, after tcp_free call work_cancle, tcp->timer will call tcp_update_timer to re-add work to worker queue, then tcp_free free conn, in this condition, it will result use after free.

Signed-off-by: wenquan1 <wenquan1@xiaomi.com>
This commit is contained in:
wenquan1
2025-10-21 11:19:50 +08:00
committed by Xiang Xiao
parent cc0cc552fc
commit c0fa2cae3d
2 changed files with 6 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
net/devif/devif_poll.c
+2
View File
@@ -647,6 +647,7 @@ static inline int devif_poll_tcp_connections(FAR struct net_driver_s *dev,
/* Traverse all of the active TCP connections and perform the poll action */
tcp_conn_list_lock();
while (!bstop && (conn = tcp_nextconn(conn)))
{
/* Skip TCP connections that are bound to other polling devices */
@@ -667,6 +668,7 @@ static inline int devif_poll_tcp_connections(FAR struct net_driver_s *dev,
}
}
tcp_conn_list_unlock();
return bstop;
}
#else
net/tcp/tcp_conn.c
+4 -4
View File
@@ -786,10 +786,6 @@ void tcp_free(FAR struct tcp_conn_s *conn)
return;
}
/* Cancel tcp timer */
tcp_stop_timer(conn);
/* Make sure monitor is stopped. */
conn_dev_lock(&conn->sconn, conn->dev);
@@ -820,6 +816,10 @@ void tcp_free(FAR struct tcp_conn_s *conn)
tcp_conn_list_unlock();
}
/* Cancel tcp timer */
tcp_stop_timer(conn);
nxrmutex_destroy(&conn->sconn.s_lock);
tcp_free_rx_buffers(conn);