From 51c1a9c1ba7fefeee5f8bf4eb6728fd4628f986f Mon Sep 17 00:00:00 2001 From: Andreas Eversberg Date: Thu, 15 Feb 2024 12:14:48 +0100 Subject: [PATCH] osmo_io_uring: Detach msghdr from iofd before calling iofd_handle_send_completion() msghdr must be detached, because subsequent callback at iofd_handle_send_completion() may destroy the iofd (which in turn frees this msghdr, if still attached) and frees the msghdr, causing a double free. Related: OS#5751 Change-Id: Ia349f73de2145fa360b20dd40deb73a8ffc71f07 --- src/core/osmo_io_uring.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/core/osmo_io_uring.c b/src/core/osmo_io_uring.c index 26586808a..fc50ef8eb 100644 --- a/src/core/osmo_io_uring.c +++ b/src/core/osmo_io_uring.c @@ -195,6 +195,13 @@ static void iofd_uring_handle_tx(struct iofd_msghdr *msghdr, int rc) { struct osmo_io_fd *iofd = msghdr->iofd; + /* Detach msghdr from iofd. It might get freed here or it will be freed at iofd_handle_send_completion(). + * If there is pending data to send, iofd_uring_submit_tx() will attach it again. + * iofd_handle_send_completion() will free msghdr at the end. the previous callback function may destroy iofd. + * If msghdr would be attached to iofd, it could be freed twice, causing a double free error. */ + if (iofd->u.uring.write_msghdr == msghdr) + iofd->u.uring.write_msghdr = NULL; + if (OSMO_UNLIKELY(IOFD_FLAG_ISSET(iofd, IOFD_FLAG_CLOSED))) { msgb_free(msghdr->msg); iofd_msghdr_free(msghdr); @@ -202,7 +209,6 @@ static void iofd_uring_handle_tx(struct iofd_msghdr *msghdr, int rc) iofd_handle_send_completion(iofd, rc, msghdr); } - iofd->u.uring.write_msghdr = NULL; /* submit the next to-be-transmitted message for this file descriptor */ if (iofd->u.uring.write_enabled && !IOFD_FLAG_ISSET(iofd, IOFD_FLAG_CLOSED)) iofd_uring_submit_tx(iofd);