[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[lwip-users] Possible race condition in netconn_write
From: |
Geir Ertzaas |
Subject: |
[lwip-users] Possible race condition in netconn_write |
Date: |
Tue, 23 May 2006 12:58:47 +0200 |
User-agent: |
Thunderbird 1.5.0.2 (Windows/20060308) |
I have found a problem with the code in netconn_write (api_lib.c) that
caused infrequent severe crashes in my application. The code creates and
deletes a semaphore, conn->sem, which is used to wait for free send
buffer space. The main lwip_thread signals this semaphore when there is
room available in the send buffer, however the check to see whether to
signal the semaphore is based on conn->sem!=0. This is a potential race
condition as the semaphore is deleted prior to the conn->sem being set
to 0 in netconn_write. The lwip_thread runs at a higher task priority
than the application thread and may interrupt the application thread
between the delete and and the 0 assignment. I fixed this in my
application by removing the semaphore deletion/assignment from
netconn_write and have the semaphore exist until netconn_delete is called.
In netconn_write :
...
ret:
memp_free(MEMP_API_MSG, msg);
conn->state = NETCONN_NONE;
if (conn->sem != SYS_SEM_NULL) {
sys_sem_free(conn->sem); //<<-- Potential race
condition.
conn->sem = SYS_SEM_NULL; //<<--
}
return conn->err;
...
- [lwip-users] Possible race condition in netconn_write,
Geir Ertzaas <=