[S] Change in libosmocore[master]: osmo_io_uring: Detach msghdr from iofd before calling iofd_handle_sen...

Thu, 29 Feb 2024 06:32:38 -0800 

laforge has submitted this change. ( 
https://gerrit.osmocom.org/c/libosmocore/+/35982?usp=email )

Change subject: osmo_io_uring: Detach msghdr from iofd before calling 
iofd_handle_send_completion()
......................................................................

osmo_io_uring: Detach msghdr from iofd before calling 
iofd_handle_send_completion()

msghdr must be detached, because subsequent callback at
iofd_handle_send_completion() may destroy the iofd (which in turn
frees this msghdr, if still attached) and frees the msghdr, causing a
double free.

Related: OS#5751
Change-Id: Ia349f73de2145fa360b20dd40deb73a8ffc71f07
---
M src/core/osmo_io_uring.c
1 file changed, 24 insertions(+), 1 deletion(-)

Approvals:
  Jenkins Builder: Verified
  laforge: Looks good to me, but someone else must approve
  pespin: Looks good to me, approved




diff --git a/src/core/osmo_io_uring.c b/src/core/osmo_io_uring.c
index 3812b50..cb636da 100644
--- a/src/core/osmo_io_uring.c
+++ b/src/core/osmo_io_uring.c
@@ -195,6 +195,15 @@
 {
        struct osmo_io_fd *iofd = msghdr->iofd;

+       /* Detach msghdr from iofd. It might get freed here or it is freed 
during iofd_handle_send_completion().
+        * If there is pending data to send, iofd_uring_submit_tx() will attach 
it again.
+        * iofd_handle_send_completion() will invoke a callback function to 
signal the possibility of write/send.
+        * This callback function might close iofd, leading to the potential 
freeing of iofd->u.uring.write_msghdr if
+        * still attached. Since iofd_handle_send_completion() frees msghdr at 
the end of the function, detaching
+        * msghdr here prevents a double-free bug. */
+       if (iofd->u.uring.write_msghdr == msghdr)
+               iofd->u.uring.write_msghdr = NULL;
+
        if (OSMO_UNLIKELY(IOFD_FLAG_ISSET(iofd, IOFD_FLAG_CLOSED))) {
                msgb_free(msghdr->msg);
                iofd_msghdr_free(msghdr);
@@ -202,7 +211,6 @@
                iofd_handle_send_completion(iofd, rc, msghdr);
        }

-       iofd->u.uring.write_msghdr = NULL;
        /* submit the next to-be-transmitted message for this file descriptor */
        if (iofd->u.uring.write_enabled && !IOFD_FLAG_ISSET(iofd, 
IOFD_FLAG_CLOSED))
                iofd_uring_submit_tx(iofd);

--
To view, visit https://gerrit.osmocom.org/c/libosmocore/+/35982?usp=email
To unsubscribe, or for help writing mail filters, visit 
https://gerrit.osmocom.org/settings

Gerrit-Project: libosmocore
Gerrit-Branch: master
Gerrit-Change-Id: Ia349f73de2145fa360b20dd40deb73a8ffc71f07
Gerrit-Change-Number: 35982
Gerrit-PatchSet: 9
Gerrit-Owner: jolly <andr...@eversberg.eu>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: daniel <dwillm...@sysmocom.de>
Gerrit-Reviewer: laforge <lafo...@osmocom.org>
Gerrit-Reviewer: pespin <pes...@sysmocom.de>
Gerrit-MessageType: merged

Reply via email to