[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[lwip-devel] [bug #60532] Double free and assert "pbuf_free: p->ref > 0"

From: SviMik
Subject: [lwip-devel] [bug #60532] Double free and assert "pbuf_free: p->ref > 0" fail
Date: Wed, 5 May 2021 09:49:01 -0400 (EDT)
User-agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36


                 Summary: Double free and assert "pbuf_free: p->ref > 0" fail
                 Project: lwIP - A Lightweight TCP/IP stack
            Submitted by: svimik
            Submitted on: Wed 05 May 2021 01:48:59 PM UTC
                Category: pbufs
                Severity: 3 - Normal
              Item Group: Crash Error
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: None
            lwIP version: Other



I'm experiencing a lot of memory issues in lwip when checking my project with
valgrind. One of them seems fatal because lwip assertion fails too.

I'm using git "STABLE-2_1_x" branch.

Here is valgrind log. I'm not sure if the assertion fail is somehow connected
with invalid free() or it's two separate issues, there are just too many of
them and I really need some help.

==8111== Invalid free() / delete / delete[] / realloc()
==8111==    at 0x4C32D3B: free (in
==8111==    by 0x11C7FE: mem_free (main.h:1479)
==8111==    by 0x11C7FE: pbuf_free (pbuf.c:780)
==8111==    by 0x121546: tcp_seg_free (tcp.c:1663)
==8111==    by 0x121656: tcp_free_acked_segments(tcp_pcb*, tcp_seg*, char
const*, tcp_seg*) [clone .isra.58] (tcp_in.c:1132)
==8111==    by 0x123B84: tcp_receive(tcp_pcb*) (tcp_in.c:1301)
==8111==    by 0x12AAB1: tcp_process (tcp_in.c:999)
==8111==    by 0x12AAB1: tcp_input (tcp_in.c:454)
==8111==    by 0x12B645: ip4_input (ip4.c:717)
==8111==    by 0x12096E: lwip_push_ip_packet(session*, void const*, int)
==8111==    by 0x132C8F: process_incoming_tap_packet(session*, unsigned char*,
int) (tap.c:1968)
==8111==    by 0x132E52: tap_process_thread(void*) (tap_linux.c:647)
==8111==    by 0x654C6DA: start_thread (pthread_create.c:463)
==8111==    by 0x688571E: clone (clone.S:95)
==8111==  Address 0x1029b0f0 is 0 bytes inside a block of size 1,520 free'd
==8111==    at 0x4C33D2F: realloc (in
==8111==    by 0x11D38A: mem_trim (main.h:1470)
==8111==    by 0x11D38A: pbuf_realloc (pbuf.c:444)
==8111==    by 0x122E65: tcp_split_unsent_seg (tcp_out.c:932)
==8111==    by 0x1290E4: tcp_slowtmr (tcp.c:1290)
==8111==    by 0x12C118: tcpip_tcp_timer(void*) (timeouts.c:149)
==8111==    by 0x12C6C4: sys_check_timeouts (timeouts.c:390)
==8111==    by 0x12C703: lwip_timer(session*) (tap.c:1182)
==8111==    by 0x12CA48: tap_thread(void*) (tap_linux.c:832)
==8111==    by 0x654C6DA: start_thread (pthread_create.c:463)
==8111==    by 0x688571E: clone (clone.S:95)
==8111==  Block was alloc'd at
==8111==    at 0x4C31B0F: malloc (in
==8111==    by 0x11CEEC: mem_malloc (main.h:1473)
==8111==    by 0x11CEEC: pbuf_alloc (pbuf.c:284)
==8111==    by 0x11D0B2: tcp_pbuf_prealloc(pbuf_layer, unsigned short,
unsigned short, unsigned short*, tcp_pcb const*, unsigned char, unsigned char)
==8111==    by 0x122579: tcp_write (tcp_out.c:610)
==8111==    by 0x124EA7: lwip_tcp_write(session*, tcp_pcb*, void const*, int)
==8111==    by 0x125009: lwip_stream_process_app_buf(_stream*) (tap.c:705)
==8111==    by 0x125C06: client_thread_lwip(void*) (tap.c:757)
==8111==    by 0x654C6DA: start_thread (pthread_create.c:463)
==8111==    by 0x688571E: clone (clone.S:95)
[02:40:29] Fatal error in lwip module: pbuf_free: p->ref > 0 in file
lwip/pbuf.c in function pbuf_free()

What I tried to do:

1. I'm aware that the raw API isn't thread-safe, so I have wrapped all API
calls with my own mutex making sure I'm not calling lwip from different
threads simultaneously.

2. I have also enabled SYS_LIGHTWEIGHT_PROT and used
sys_arch_protect()/sys_arch_unprotect() implementation from here:

3. Temporarily added printf to sys_arch_protect() to make sure it's actually
being called.

4. Found a similar issue here:
and applied this patch:
which didn't help.

I'm totally aware that it might be my mistake, but I'm really stuck and don't
know what to do.

I have attached the full valgrind log which contains other errors too. I'm not
sure if they all are problems or some of them are false positives (valgrind is
notorious for its verbosity and false positives), but the "pbuf_free: p->ref >
0" is fatal, and valgrind might be a key to that.


File Attachments:

Date: Wed 05 May 2021 01:48:59 PM UTC  Name: valgrind_1.log  Size: 243KiB  
By: svimik



Reply to this item at:


  Message sent via Savannah

reply via email to

[Prev in Thread] Current Thread [Next in Thread]