diff options
author | Pau Espin Pedrol <pespin@sysmocom.de> | 2023-10-25 14:49:11 +0200 |
---|---|---|
committer | pespin <pespin@sysmocom.de> | 2023-10-25 16:00:59 +0000 |
commit | bd777b027657a386fc72eb4a9d1a08a73a20603c (patch) | |
tree | 3d15babf1089c75162a3db9fd14e308a94c1f7ce | |
parent | 3bd97d839e59a18b2638ff3ac76f5bc3dc3d22d5 (diff) |
trx_if: Allow calling trx_if_flush/close from within TRXC callback (v2)
- If the llist is flushed during rx rsp callback, when the flow is
returned to trx_ctrl_read_cb() it would access tcm which was in the
llist and end up in use-after-free.
- We need to store state on whether code path is inside the read_cb in
order to:
-- Delay transmission of new message if callback calls trx_if_flush()
followed by trx_ctrl_send(), since the trx_ctrl_send() at the end of
trx_ctrl_read_cb would retransmit it again immediatelly.
-- Avoid accessing tcm pointer if the callback called trx_if_flush(),
since it has been freed.
Related: OS#6020
Change-Id: Ibdffa4644aa3a7d219452644d3e74b411734f1df
-rw-r--r-- | src/osmo-bts-trx/l1_if.h | 4 | ||||
-rw-r--r-- | src/osmo-bts-trx/trx_if.c | 34 |
2 files changed, 31 insertions, 7 deletions
diff --git a/src/osmo-bts-trx/l1_if.h b/src/osmo-bts-trx/l1_if.h index 18d84c2f..84fd4b5b 100644 --- a/src/osmo-bts-trx/l1_if.h +++ b/src/osmo-bts-trx/l1_if.h @@ -120,6 +120,10 @@ struct trx_l1h { struct llist_head trx_ctrl_list; /* Latest RSPed cmd, used to catch duplicate RSPs from sent retransmissions */ struct trx_ctrl_msg *last_acked; + /* Whether the code path is in the middle of handling a received message. */ + bool in_trx_ctrl_read_cb; + /* Whether the l1h->trx_ctrl_list was flushed by the callback handling a received message */ + bool flushed_while_in_trx_ctrl_read_cb; //struct gsm_bts_trx *trx; struct phy_instance *phy_inst; diff --git a/src/osmo-bts-trx/trx_if.c b/src/osmo-bts-trx/trx_if.c index 3f9fc049..89078a32 100644 --- a/src/osmo-bts-trx/trx_if.c +++ b/src/osmo-bts-trx/trx_if.c @@ -269,8 +269,10 @@ static int trx_ctrl_cmd_cb(struct trx_l1h *l1h, int critical, void *cb, const ch tcm->cmd, tcm->params_len ? " " : "", tcm->params); llist_add_tail(&tcm->list, &l1h->trx_ctrl_list); - /* send message, if we didn't already have pending messages */ - if (prev == NULL) + /* send message, if we didn't already have pending messages. + * If we are in the rx_rsp callback code path, skip sending, the + * callback will do so when returning to it. */ + if (prev == NULL && !l1h->in_trx_ctrl_read_cb) trx_ctrl_send(l1h); return 0; @@ -673,6 +675,7 @@ static int trx_ctrl_read_cb(struct osmo_fd *ofd, unsigned int what) struct trx_ctrl_rsp rsp; int len, rc; struct trx_ctrl_msg *tcm; + bool flushed; len = recv(ofd->fd, buf, sizeof(buf) - 1, 0); if (len <= 0) @@ -722,21 +725,34 @@ static int trx_ctrl_read_cb(struct osmo_fd *ofd, unsigned int what) rsp.cb = tcm->cb; /* check for response code */ + l1h->in_trx_ctrl_read_cb = true; rc = trx_ctrl_rx_rsp(l1h, &rsp, tcm); + /* Reset state: */ + flushed = l1h->flushed_while_in_trx_ctrl_read_cb; + l1h->flushed_while_in_trx_ctrl_read_cb = false; + l1h->in_trx_ctrl_read_cb = false; + if (rc == -EINVAL) goto rsp_error; /* re-schedule last cmd in rc seconds time */ if (rc > 0) { - osmo_timer_schedule(&l1h->trx_ctrl_timer, rc, 0); + /* The queue may have been flushed in the trx_ctrl_rx_rsp(): */ + if (!llist_empty(&l1h->trx_ctrl_list)) + osmo_timer_schedule(&l1h->trx_ctrl_timer, rc, 0); return 0; } - /* remove command from list, save it to last_acked and removed previous last_acked */ - llist_del(&tcm->list); - talloc_free(l1h->last_acked); - l1h->last_acked = tcm; + if (!flushed) { + /* Remove command from list, save it to last_acked and removed + * previous last_acked */ + llist_del(&tcm->list); + talloc_free(l1h->last_acked); + l1h->last_acked = tcm; + } /* else: tcm was freed by trx_if_flush(), do not access it. */ + + /* Send next message waiting in the list: */ trx_ctrl_send(l1h); return 0; @@ -1224,6 +1240,10 @@ void trx_if_flush(struct trx_l1h *l1h) /* Tx queue is now empty, so there's no point in keeping the retrans timer armed: */ osmo_timer_del(&l1h->trx_ctrl_timer); + + /* If we are in read_cb, signal to the returning code path that we freed the list. */ + if (l1h->in_trx_ctrl_read_cb) + l1h->flushed_while_in_trx_ctrl_read_cb = true; } /*! close the TRX for given handle (data + control socket) */ |