libosmocore/include/osmocom/core/write_queue.h

/*! \file write_queue.h
 * Generic write queue implementation */
/*
 * (C) 2010 by Holger Hans Peter Freyther
 * (C) 2010 by On-Waves
 *
 * All Rights Reserved
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 */
#pragma once

/*! \defgroup write_queue Osmocom msgb write queues
 *  @{
 * \file write_queue.h */

#include <osmocom/core/select.h>
#include <osmocom/core/msgb.h>

/*! write queue instance */
struct osmo_wqueue {
	/*! osmocom file descriptor */
	struct osmo_fd bfd;
	/*! maximum length of write queue */
	unsigned int max_length;
	/*! current length of write queue */
	unsigned int current_length;

	/*! actual linked list implementing the queue */
	struct llist_head msg_queue;

	/*! call-back in case qeueue is readable. Return -EBADF if fd is freed inside cb. */
	int (*read_cb)(struct osmo_fd *fd);
	/*! call-back in case qeueue is writable. Return -EBADF if fd is freed inside cb. */
	int (*write_cb)(struct osmo_fd *fd, struct msgb *msg);
	/*! call-back in case qeueue has exceptions. Return -EBADF if fd is freed inside cb. */
	int (*except_cb)(struct osmo_fd *fd);
};

void osmo_wqueue_init(struct osmo_wqueue *queue, int max_length);
void osmo_wqueue_clear(struct osmo_wqueue *queue);
int osmo_wqueue_enqueue(struct osmo_wqueue *queue, struct msgb *data);
int osmo_wqueue_enqueue_quiet(struct osmo_wqueue *queue, struct msgb *data);
int osmo_wqueue_bfd_cb(struct osmo_fd *fd, unsigned int what);

/*! @} */
doxygen: unify use of \file across the board Considering the various styles and implications found in the sources, edit scores of files to follow the same API doc guidelines around the doxygen grouping and the \file tag. Many files now show a short description in the generated API doc that was so far only available as C comment. The guidelines and reasoning behind it is documented at https://osmocom.org/projects/cellular-infrastructure/wiki/Guidelines_for_API_documentation In some instances, remove file comments and add to the corresponding group instead, to be shared among several files (e.g. bitvec). Change-Id: Ifa70e77e90462b5eb2b0457c70fd25275910c72b 2017-06-20 02:35:06 +00:00			`/*! \file write_queue.h`
			`* Generic write queue implementation */`
[write_queue] Add a generic write queue class The write queue can be a dropin replacement for the bsc_fd. It is featuring two callbacks. One for ready read and one for ready write. Whenever there is a message in the queue the write_queue will set the BSC_FD_WRITE flag and then call the write callback. It will make sure to delete the msgb after the write function has been called. This class is intended to be be used in the osmocom, layer2, bsc_msc_ip, bsc_hack and other applications. 2010-02-26 19:30:32 +00:00			`/*`
			`* (C) 2010 by Holger Hans Peter Freyther`
			`* (C) 2010 by On-Waves`
			`*`
			`* All Rights Reserved`
			`*`
			`* This program is free software; you can redistribute it and/or modify`
			`* it under the terms of the GNU General Public License as published by`
			`* the Free Software Foundation; either version 2 of the License, or`
			`* (at your option) any later version.`
			`*`
			`* This program is distributed in the hope that it will be useful,`
			`* but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`* GNU General Public License for more details.`
			`*`
			`*/`
include: Switch to #pragma once pattern Signed-off-by: Sylvain Munaut <tnt@246tNt.com> 2014-06-16 08:13:40 +00:00			`#pragma once`
[write_queue] Add a generic write queue class The write queue can be a dropin replacement for the bsc_fd. It is featuring two callbacks. One for ready read and one for ready write. Whenever there is a message in the queue the write_queue will set the BSC_FD_WRITE flag and then call the write callback. It will make sure to delete the msgb after the write function has been called. This class is intended to be be used in the osmocom, layer2, bsc_msc_ip, bsc_hack and other applications. 2010-02-26 19:30:32 +00:00
doxygen: Add 'write_queue' module 2011-08-17 12:23:42 +00:00			`/*! \defgroup write_queue Osmocom msgb write queues`
			`* @{`
doxygen: unify use of \file across the board Considering the various styles and implications found in the sources, edit scores of files to follow the same API doc guidelines around the doxygen grouping and the \file tag. Many files now show a short description in the generated API doc that was so far only available as C comment. The guidelines and reasoning behind it is documented at https://osmocom.org/projects/cellular-infrastructure/wiki/Guidelines_for_API_documentation In some instances, remove file comments and add to the corresponding group instead, to be shared among several files (e.g. bitvec). Change-Id: Ifa70e77e90462b5eb2b0457c70fd25275910c72b 2017-06-20 02:35:06 +00:00			`* \file write_queue.h */`
start to add doxygen documentation to libosmocore headers 2011-08-16 21:26:52 +00:00
write_queue: use full path of includes in osmocom/core/write_queue.h 2011-03-28 17:24:20 +00:00			`#include <osmocom/core/select.h>`
			`#include <osmocom/core/msgb.h>`
[write_queue] Add a generic write queue class The write queue can be a dropin replacement for the bsc_fd. It is featuring two callbacks. One for ready read and one for ready write. Whenever there is a message in the queue the write_queue will set the BSC_FD_WRITE flag and then call the write callback. It will make sure to delete the msgb after the write function has been called. This class is intended to be be used in the osmocom, layer2, bsc_msc_ip, bsc_hack and other applications. 2010-02-26 19:30:32 +00:00
start to add doxygen documentation to libosmocore headers 2011-08-16 21:26:52 +00:00			`/! write queue instance /`
write-queue: use namespace prefix osmo_wqueue* Summary of changes: s/struct write_queue/struct osmo_wqueue/g s/write_queue_init/osmo_wqueue_init/g s/void write_queue_clear/osmo_wqueue_clear/g s/write_queue_enqueue/osmo_wqueue_enqueue/g s/write_queue_bfd_cb/osmo_wqueue_bfd_cb/g 2011-05-07 10:42:51 +00:00			`struct osmo_wqueue {`
doxygen: enable AUTOBRIEF, drop \brief Especially for short descriptions, it is annoying to have to type \brief for every single API doc. Drop all \brief and enable the AUTOBRIEF feature of doxygen, which always takes the first sentence of an API doc as the brief description. Change-Id: I11a8a821b065a128108641a2a63fb5a2b1916e87 2017-06-19 22:17:59 +00:00			`/! osmocom file descriptor /`
select: use namespace prefix osmo_fd* and osmo_select* Summary of changes: s/struct bsc_fd/struct osmo_fd/g s/bsc_register_fd/osmo_fd_register/g s/bsc_unregister_fd/osmo_fd_unregister/g s/bsc_select_main/osmo_select_main/g 2011-05-07 10:42:40 +00:00			`struct osmo_fd bfd;`
doxygen: enable AUTOBRIEF, drop \brief Especially for short descriptions, it is annoying to have to type \brief for every single API doc. Drop all \brief and enable the AUTOBRIEF feature of doxygen, which always takes the first sentence of an API doc as the brief description. Change-Id: I11a8a821b065a128108641a2a63fb5a2b1916e87 2017-06-19 22:17:59 +00:00			`/! maximum length of write queue /`
[write_queue] Add a generic write queue class The write queue can be a dropin replacement for the bsc_fd. It is featuring two callbacks. One for ready read and one for ready write. Whenever there is a message in the queue the write_queue will set the BSC_FD_WRITE flag and then call the write callback. It will make sure to delete the msgb after the write function has been called. This class is intended to be be used in the osmocom, layer2, bsc_msc_ip, bsc_hack and other applications. 2010-02-26 19:30:32 +00:00			`unsigned int max_length;`
doxygen: enable AUTOBRIEF, drop \brief Especially for short descriptions, it is annoying to have to type \brief for every single API doc. Drop all \brief and enable the AUTOBRIEF feature of doxygen, which always takes the first sentence of an API doc as the brief description. Change-Id: I11a8a821b065a128108641a2a63fb5a2b1916e87 2017-06-19 22:17:59 +00:00			`/! current length of write queue /`
[write_queue] Add a generic write queue class The write queue can be a dropin replacement for the bsc_fd. It is featuring two callbacks. One for ready read and one for ready write. Whenever there is a message in the queue the write_queue will set the BSC_FD_WRITE flag and then call the write callback. It will make sure to delete the msgb after the write function has been called. This class is intended to be be used in the osmocom, layer2, bsc_msc_ip, bsc_hack and other applications. 2010-02-26 19:30:32 +00:00			`unsigned int current_length;`

doxygen: enable AUTOBRIEF, drop \brief Especially for short descriptions, it is annoying to have to type \brief for every single API doc. Drop all \brief and enable the AUTOBRIEF feature of doxygen, which always takes the first sentence of an API doc as the brief description. Change-Id: I11a8a821b065a128108641a2a63fb5a2b1916e87 2017-06-19 22:17:59 +00:00			`/! actual linked list implementing the queue /`
[write_queue] Add a generic write queue class The write queue can be a dropin replacement for the bsc_fd. It is featuring two callbacks. One for ready read and one for ready write. Whenever there is a message in the queue the write_queue will set the BSC_FD_WRITE flag and then call the write callback. It will make sure to delete the msgb after the write function has been called. This class is intended to be be used in the osmocom, layer2, bsc_msc_ip, bsc_hack and other applications. 2010-02-26 19:30:32 +00:00			`struct llist_head msg_queue;`

control_if: Avoid heap-use-after-free in osmo_wqueue_bfd_cb Imagine following scenario: 1- client connects to CTRL iface, a new conn is created with POLL_READ enabled. 2- A non-related event happens which triggers a TRAP to be sent. As a result, the wqueue for the conn has now enabled POLL_WRITE, and message will be sent next time we go through osmo_main_select(). 3- At the same time, we receive the GET cmd from the CTRL client, which means POLL_READ event will be also triggered next time we call osmo_main_select(). 4- osmo_main_select triggers osmo_wqueue_bfd_cb with both READ/WRITE flags set. 5- The read_cb of wqueue is executed first. The handler closes the CTRL conn for some reason, freeing the osmo_fd struct and returns. 6- osmo_qeueue_bfd_cb keeps using the already freed osmo_fd and calls write_cb. So in step 6 we get a heap-use-after-free catched by AddressSanitizer: [0;m20180424135406115 [1;32mDLCTRL[0;m <0018> control_if.c:506 accept()ed new CTRL connection from (r=10.42.42.1:53910<->l=10.42.42.7:4249) [0;m20180424135406116 [1;34mDLCTRL[0;m <0018> control_cmd.c:378 Command: GET bts.0.oml-connection-state [0;m20180424135406117 [1;34mDLINP[0;m <0013> bts_ipaccess_nanobts.c:417 Identified BTS 1/0/0 [0;m[1;36m20180424135406118 [1;34mDNM[0;m[1;36m <0005> abis_nm.c:1628 Get Attr (bts=0) [0;m[1;36m20180424135406118 [1;34mDNM[0;m[1;36m <0005> abis_nm.c:1628 Get Attr (bts=0) [0;m20180424135406118 [1;34mDCTRL[0;m <000e> osmo_bsc_ctrl.c:158 BTS connection (re)established, sending TRAP. [0;m20180424135406119 [1;32mDLCTRL[0;m <0018> control_if.c:173 close()d CTRL connection (r=10.42.42.1:53910<->l=10.42.42.7:4249) [0;m================================================================= ==12301==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000003e04 at pc 0x7f23091c3a2f bp 0x7ffc0cb73ff0 sp 0x7ffc0cb73fe8 READ of size 4 at 0x611000003e04 thread T0 #0 0x7f23091c3a2e in osmo_wqueue_bfd_cb /home/osmocom-build/jenkins/workspace/osmo-gsm-tester_build-osmo-bsc/libosmocore/src/write_queue.c:65 #1 0x7f23091ad5d8 in osmo_fd_disp_fds /home/osmocom-build/jenkins/workspace/osmo-gsm-tester_build-osmo-bsc/libosmocore/src/select.c:216 #2 0x7f23091ad5d8 in osmo_select_main /home/osmocom-build/jenkins/workspace/osmo-gsm-tester_build-osmo-bsc/libosmocore/src/select.c:256 #3 0x56538bdb7a26 in main /home/osmocom-build/jenkins/workspace/osmo-gsm-tester_build-osmo-bsc/osmo-bsc/src/osmo-bsc/osmo_bsc_main.c:532 #4 0x7f23077532e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0) #5 0x56538bdb8999 in _start (/home/jenkins/workspace/osmo-gsm-tester_run-prod/trial-896/inst/osmo-bsc/bin/osmo-bsc+0x259999) Fixes: OS#3206 Change-Id: I84d10caaadcfa6bd46ba8756ca89aa0badcfd2e3 2018-05-04 16:20:35 +00:00			`/! call-back in case qeueue is readable. Return -EBADF if fd is freed inside cb. /`
select: use namespace prefix osmo_fd* and osmo_select* Summary of changes: s/struct bsc_fd/struct osmo_fd/g s/bsc_register_fd/osmo_fd_register/g s/bsc_unregister_fd/osmo_fd_unregister/g s/bsc_select_main/osmo_select_main/g 2011-05-07 10:42:40 +00:00			`int (read_cb)(struct osmo_fd fd);`
control_if: Avoid heap-use-after-free in osmo_wqueue_bfd_cb Imagine following scenario: 1- client connects to CTRL iface, a new conn is created with POLL_READ enabled. 2- A non-related event happens which triggers a TRAP to be sent. As a result, the wqueue for the conn has now enabled POLL_WRITE, and message will be sent next time we go through osmo_main_select(). 3- At the same time, we receive the GET cmd from the CTRL client, which means POLL_READ event will be also triggered next time we call osmo_main_select(). 4- osmo_main_select triggers osmo_wqueue_bfd_cb with both READ/WRITE flags set. 5- The read_cb of wqueue is executed first. The handler closes the CTRL conn for some reason, freeing the osmo_fd struct and returns. 6- osmo_qeueue_bfd_cb keeps using the already freed osmo_fd and calls write_cb. So in step 6 we get a heap-use-after-free catched by AddressSanitizer: [0;m20180424135406115 [1;32mDLCTRL[0;m <0018> control_if.c:506 accept()ed new CTRL connection from (r=10.42.42.1:53910<->l=10.42.42.7:4249) [0;m20180424135406116 [1;34mDLCTRL[0;m <0018> control_cmd.c:378 Command: GET bts.0.oml-connection-state [0;m20180424135406117 [1;34mDLINP[0;m <0013> bts_ipaccess_nanobts.c:417 Identified BTS 1/0/0 [0;m[1;36m20180424135406118 [1;34mDNM[0;m[1;36m <0005> abis_nm.c:1628 Get Attr (bts=0) [0;m[1;36m20180424135406118 [1;34mDNM[0;m[1;36m <0005> abis_nm.c:1628 Get Attr (bts=0) [0;m20180424135406118 [1;34mDCTRL[0;m <000e> osmo_bsc_ctrl.c:158 BTS connection (re)established, sending TRAP. [0;m20180424135406119 [1;32mDLCTRL[0;m <0018> control_if.c:173 close()d CTRL connection (r=10.42.42.1:53910<->l=10.42.42.7:4249) [0;m================================================================= ==12301==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000003e04 at pc 0x7f23091c3a2f bp 0x7ffc0cb73ff0 sp 0x7ffc0cb73fe8 READ of size 4 at 0x611000003e04 thread T0 #0 0x7f23091c3a2e in osmo_wqueue_bfd_cb /home/osmocom-build/jenkins/workspace/osmo-gsm-tester_build-osmo-bsc/libosmocore/src/write_queue.c:65 #1 0x7f23091ad5d8 in osmo_fd_disp_fds /home/osmocom-build/jenkins/workspace/osmo-gsm-tester_build-osmo-bsc/libosmocore/src/select.c:216 #2 0x7f23091ad5d8 in osmo_select_main /home/osmocom-build/jenkins/workspace/osmo-gsm-tester_build-osmo-bsc/libosmocore/src/select.c:256 #3 0x56538bdb7a26 in main /home/osmocom-build/jenkins/workspace/osmo-gsm-tester_build-osmo-bsc/osmo-bsc/src/osmo-bsc/osmo_bsc_main.c:532 #4 0x7f23077532e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0) #5 0x56538bdb8999 in _start (/home/jenkins/workspace/osmo-gsm-tester_run-prod/trial-896/inst/osmo-bsc/bin/osmo-bsc+0x259999) Fixes: OS#3206 Change-Id: I84d10caaadcfa6bd46ba8756ca89aa0badcfd2e3 2018-05-04 16:20:35 +00:00			`/! call-back in case qeueue is writable. Return -EBADF if fd is freed inside cb. /`
select: use namespace prefix osmo_fd* and osmo_select* Summary of changes: s/struct bsc_fd/struct osmo_fd/g s/bsc_register_fd/osmo_fd_register/g s/bsc_unregister_fd/osmo_fd_unregister/g s/bsc_select_main/osmo_select_main/g 2011-05-07 10:42:40 +00:00			`int (write_cb)(struct osmo_fd fd, struct msgb *msg);`
control_if: Avoid heap-use-after-free in osmo_wqueue_bfd_cb Imagine following scenario: 1- client connects to CTRL iface, a new conn is created with POLL_READ enabled. 2- A non-related event happens which triggers a TRAP to be sent. As a result, the wqueue for the conn has now enabled POLL_WRITE, and message will be sent next time we go through osmo_main_select(). 3- At the same time, we receive the GET cmd from the CTRL client, which means POLL_READ event will be also triggered next time we call osmo_main_select(). 4- osmo_main_select triggers osmo_wqueue_bfd_cb with both READ/WRITE flags set. 5- The read_cb of wqueue is executed first. The handler closes the CTRL conn for some reason, freeing the osmo_fd struct and returns. 6- osmo_qeueue_bfd_cb keeps using the already freed osmo_fd and calls write_cb. So in step 6 we get a heap-use-after-free catched by AddressSanitizer: [0;m20180424135406115 [1;32mDLCTRL[0;m <0018> control_if.c:506 accept()ed new CTRL connection from (r=10.42.42.1:53910<->l=10.42.42.7:4249) [0;m20180424135406116 [1;34mDLCTRL[0;m <0018> control_cmd.c:378 Command: GET bts.0.oml-connection-state [0;m20180424135406117 [1;34mDLINP[0;m <0013> bts_ipaccess_nanobts.c:417 Identified BTS 1/0/0 [0;m[1;36m20180424135406118 [1;34mDNM[0;m[1;36m <0005> abis_nm.c:1628 Get Attr (bts=0) [0;m[1;36m20180424135406118 [1;34mDNM[0;m[1;36m <0005> abis_nm.c:1628 Get Attr (bts=0) [0;m20180424135406118 [1;34mDCTRL[0;m <000e> osmo_bsc_ctrl.c:158 BTS connection (re)established, sending TRAP. [0;m20180424135406119 [1;32mDLCTRL[0;m <0018> control_if.c:173 close()d CTRL connection (r=10.42.42.1:53910<->l=10.42.42.7:4249) [0;m================================================================= ==12301==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000003e04 at pc 0x7f23091c3a2f bp 0x7ffc0cb73ff0 sp 0x7ffc0cb73fe8 READ of size 4 at 0x611000003e04 thread T0 #0 0x7f23091c3a2e in osmo_wqueue_bfd_cb /home/osmocom-build/jenkins/workspace/osmo-gsm-tester_build-osmo-bsc/libosmocore/src/write_queue.c:65 #1 0x7f23091ad5d8 in osmo_fd_disp_fds /home/osmocom-build/jenkins/workspace/osmo-gsm-tester_build-osmo-bsc/libosmocore/src/select.c:216 #2 0x7f23091ad5d8 in osmo_select_main /home/osmocom-build/jenkins/workspace/osmo-gsm-tester_build-osmo-bsc/libosmocore/src/select.c:256 #3 0x56538bdb7a26 in main /home/osmocom-build/jenkins/workspace/osmo-gsm-tester_build-osmo-bsc/osmo-bsc/src/osmo-bsc/osmo_bsc_main.c:532 #4 0x7f23077532e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0) #5 0x56538bdb8999 in _start (/home/jenkins/workspace/osmo-gsm-tester_run-prod/trial-896/inst/osmo-bsc/bin/osmo-bsc+0x259999) Fixes: OS#3206 Change-Id: I84d10caaadcfa6bd46ba8756ca89aa0badcfd2e3 2018-05-04 16:20:35 +00:00			`/! call-back in case qeueue has exceptions. Return -EBADF if fd is freed inside cb. /`
select: use namespace prefix osmo_fd* and osmo_select* Summary of changes: s/struct bsc_fd/struct osmo_fd/g s/bsc_register_fd/osmo_fd_register/g s/bsc_unregister_fd/osmo_fd_unregister/g s/bsc_select_main/osmo_select_main/g 2011-05-07 10:42:40 +00:00			`int (except_cb)(struct osmo_fd fd);`
[write_queue] Add a generic write queue class The write queue can be a dropin replacement for the bsc_fd. It is featuring two callbacks. One for ready read and one for ready write. Whenever there is a message in the queue the write_queue will set the BSC_FD_WRITE flag and then call the write callback. It will make sure to delete the msgb after the write function has been called. This class is intended to be be used in the osmocom, layer2, bsc_msc_ip, bsc_hack and other applications. 2010-02-26 19:30:32 +00:00			`};`

write-queue: use namespace prefix osmo_wqueue* Summary of changes: s/struct write_queue/struct osmo_wqueue/g s/write_queue_init/osmo_wqueue_init/g s/void write_queue_clear/osmo_wqueue_clear/g s/write_queue_enqueue/osmo_wqueue_enqueue/g s/write_queue_bfd_cb/osmo_wqueue_bfd_cb/g 2011-05-07 10:42:51 +00:00			`void osmo_wqueue_init(struct osmo_wqueue *queue, int max_length);`
			`void osmo_wqueue_clear(struct osmo_wqueue *queue);`
			`int osmo_wqueue_enqueue(struct osmo_wqueue queue, struct msgb data);`
write_queue: Add osmo_wqueue_enqueue_quiet() Same as osmo_wqueue_enqueue() but without logging queue overruns. Change-Id: Ic082eb39795b08631284eeb421fef3c28f2e90dc 2020-09-26 20:02:27 +00:00			`int osmo_wqueue_enqueue_quiet(struct osmo_wqueue queue, struct msgb data);`
write-queue: use namespace prefix osmo_wqueue* Summary of changes: s/struct write_queue/struct osmo_wqueue/g s/write_queue_init/osmo_wqueue_init/g s/void write_queue_clear/osmo_wqueue_clear/g s/write_queue_enqueue/osmo_wqueue_enqueue/g s/write_queue_bfd_cb/osmo_wqueue_bfd_cb/g 2011-05-07 10:42:51 +00:00			`int osmo_wqueue_bfd_cb(struct osmo_fd *fd, unsigned int what);`
[write_queue] Add a generic write queue class The write queue can be a dropin replacement for the bsc_fd. It is featuring two callbacks. One for ready read and one for ready write. Whenever there is a message in the queue the write_queue will set the BSC_FD_WRITE flag and then call the write callback. It will make sure to delete the msgb after the write function has been called. This class is intended to be be used in the osmocom, layer2, bsc_msc_ip, bsc_hack and other applications. 2010-02-26 19:30:32 +00:00
doc: Fix the Doxygen section endings Signed-off-by: Sylvain Munaut <tnt@246tNt.com> 2012-04-18 19:53:23 +00:00			`/! @} /`