Mirrors_Framework/nuttx
1
0
Fork 0
mirror of https://github.com/apache/nuttx.git synced 2026-05-27 19:36:35 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

net/tcp: fix conn->work use after free in worker queue list

Browse Source 
in multi-core cpu, tcp_free and tcp_timer_expiry->tcp_timer will work in parallel, after tcp_free call work_cancle, tcp->timer will call tcp_update_timer to re-add work to worker queue, then tcp_free free conn, in this condition, it will result use after free.

Signed-off-by: wenquan1 <wenquan1@xiaomi.com>
This commit is contained in:
wenquan1
2025-10-21 11:19:50 +08:00
committed by Xiang Xiao
parent cc0cc552fc
commit c0fa2cae3d
2 changed files with 6 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
net/tcp/tcp_conn.c
+4 -4
View File
@@ -786,10 +786,6 @@ void tcp_free(FAR struct tcp_conn_s *conn)
return;
}
/* Cancel tcp timer */
tcp_stop_timer(conn);
/* Make sure monitor is stopped. */
conn_dev_lock(&conn->sconn, conn->dev);
@@ -820,6 +816,10 @@ void tcp_free(FAR struct tcp_conn_s *conn)
tcp_conn_list_unlock();
}
/* Cancel tcp timer */
tcp_stop_timer(conn);
nxrmutex_destroy(&conn->sconn.s_lock);
tcp_free_rx_buffers(conn);