|
From: | Ted Smith |
Subject: | [lwip-users] Race condition in tpcip.c causing memory corruption |
Date: | Wed, 27 Feb 2013 16:56:33 +0000 |
I’m using lwip on a microblaze platform using FreeRTOS as the OS. I ran into memory corruption problems when inbound and outbound traffic over a tcp socket was occurring. I traced the problem to the function tcpip_apimsg() where
a context switch occurs between the sys_mbox_post() and sys_arch_sem_wait(). In this scenario a thread doing an outbound socket write results in a msg for do_write getting posted to the mbox. This causes a context switch to the tcpip_thread() which fetches
the msg from the mailbox and begins processing. This thread gets context switched out before getting to the TCPIP_APIMSG_ACK(). Execution is passed to a thread that is passing packets into lwip. This thread gets into tcpip_apimsg() and posts to the mbox.
No context switch occurs (because tcpip_thread() is not currently waiting in the fetch call) so this receive thread makes it to the sys_arch_sem_wait(&apimsg->msg.conn->op_completed, 0) call and blocks. Now a context switch occurs back to the outbound thread
which finally makes it to the same sys_arch_sem_wait() call and blocks. Now context is switched to the tcpip_thread which finish the do_write() execution and calls TCPIP_APIMSG_ACK(). This should have unblocked the outbound thread however the first one
to block on that sem was the inbound thread (which still has it’s message posted in the mbox) so the inbound thread receives the signal. Now the tcpip_thread() grabs the inbound msg (which container was on the inbound thread’s stack which has been popped)
and starts processing the message. That container can now be corrupted since the stack has been popped. Bad things happen after this….. I’m wondering if I’m somehow using the interfaces wrong to cause this to happen. I fixed this by protecting the tcpip_apimsg() call with a semaphore to stop reentrancy.
I’m I doing something wrong or is this a real bug? Thanks, Ted
------------------------------------------------------- CONFIDENTIALITY NOTICE: This email and any attachments are confidential information of the sender and are for the exclusive use of the intended recipient. If you are not the intended recipient, be aware that any disclosure, copying, distribution, or use of this email or any attachment is prohibited. If you have received this email in error, please notify us immediately by returning it to the sender and delete this copy from your system. Thank you for your cooperation. |
[Prev in Thread] | Current Thread | [Next in Thread] |