Change in osmo-mgw[master]: endpoint FSM: allow cancelling a notify event

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

neels gerrit-no-reply at lists.osmocom.org
Wed Oct 23 01:49:02 UTC 2019 

neels has uploaded this change for review. ( https://gerrit.osmocom.org/c/osmo-mgw/+/15838 )


Change subject: endpoint FSM: allow cancelling a notify event
......................................................................

endpoint FSM: allow cancelling a notify event

There is a use-after-free problem if a 'notify' FSM as passed to
osmo_mgcpc_ep_ci_request() deallocates before the notify event has been
dispatched. To avoid that, add API to allow cancelling a notify.

Change-Id: I41687d7f3a808587ab7f7520f46dcc3c29cff92d
---
M include/osmocom/mgcp_client/mgcp_client_endpoint_fsm.h
M src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c
2 files changed, 82 insertions(+), 20 deletions(-)



  git pull ssh://gerrit.osmocom.org:29418/osmo-mgw refs/changes/38/15838/1

diff --git a/include/osmocom/mgcp_client/mgcp_client_endpoint_fsm.h b/include/osmocom/mgcp_client/mgcp_client_endpoint_fsm.h
index d77371a..736da22 100644
--- a/include/osmocom/mgcp_client/mgcp_client_endpoint_fsm.h
+++ b/include/osmocom/mgcp_client/mgcp_client_endpoint_fsm.h
@@ -29,6 +29,9 @@
 			      uint32_t event_success, uint32_t event_failure,
 			      void *notify_data);
 
+void osmo_mgcpc_ep_cancel_notify(struct osmo_mgcpc_ep *ep, struct osmo_fsm_inst *notify);
+struct osmo_mgcpc_ep *osmo_mgcpc_ep_ci_ep(struct osmo_mgcpc_ep_ci *ci);
+
 /*! Dispatch a DLCX for the given connection.
  * \param ci  Connection identifier as obtained from osmo_mgcpc_ep_ci_add().
  */
diff --git a/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c b/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c
index 3ea1492..2259788 100644
--- a/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c
+++ b/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c
@@ -73,6 +73,14 @@
 
 static struct osmo_fsm osmo_mgcpc_ep_fsm;
 
+struct fsm_notify {
+	struct llist_head entry;
+	struct osmo_fsm_inst *fi;
+	uint32_t success;
+	uint32_t failure;
+	void *data;
+};
+
 /*! One connection on an endpoint, corresponding to a connection identifier (CI) as returned by the MGW.
  * An endpoint has a fixed number of slots of these, which may or may not be in use.
  */
@@ -87,10 +95,7 @@
 	bool sent;
 	enum mgcp_verb verb;
 	struct mgcp_conn_peer verb_info;
-	struct osmo_fsm_inst *notify;
-	uint32_t notify_success;
-	uint32_t notify_failure;
-	void *notify_data;
+	struct fsm_notify notify;
 
 	bool got_port_info;
 	struct mgcp_conn_peer rtp_info;
@@ -118,6 +123,10 @@
 	/*! Endpoint connection slots. Note that each connection has its own set of FSM event numbers to signal success
 	 * and failure, depending on its index within this array. See CI_EV_SUCCESS and CI_EV_FAILURE. */
 	struct osmo_mgcpc_ep_ci ci[USABLE_CI];
+
+	/*! Internal use: if a function keeps an fsm_notify for later dispatch while already clearing or re-using the
+	 * ci[], the fsm_notify should be kept here to also get canceled by osmo_mgcpc_ep_cancel_notify(). */
+	struct llist_head background_notify;
 };
 
 const struct value_string osmo_mgcp_verb_names[] = {
@@ -296,6 +305,7 @@
 		.fi = fi,
 		.T_defs = T_defs,
 	};
+	INIT_LLIST_HEAD(&ep->background_notify);
 	fi->priv = ep;
 
 	va_start(ap, endpoint_str_fmt);
@@ -354,15 +364,20 @@
 
 static void on_failure(struct osmo_mgcpc_ep_ci *ci)
 {
-	struct osmo_fsm_inst *notify = ci->notify;
-	uint32_t notify_failure = ci->notify_failure;
-	void *notify_data = ci->notify_data;
 	struct osmo_mgcpc_ep *ep = ci->ep;
+	struct fsm_notify notify;
 	int i;
 
 	if (!ci->occupied)
 		return;
 
+	/* When dispatching an event for this CI, the user may decide to trigger the next request for this conn right
+	 * away. So we must be ready with a cleared *ci. Store the notify separately and clear before dispatching. */
+	notify = ci->notify;
+	/* Register the planned notification in ep->background_notify so we also catch any osmo_mgcpc_ep_cancel_notify()
+	 * that might be triggered between clearing the ci and actually dispatching the event. */
+	llist_add(&notify.entry, &ep->background_notify);
+
 	*ci = (struct osmo_mgcpc_ep_ci){
 		.ep = ci->ep,
 	};
@@ -387,11 +402,15 @@
 
 	/* If this check has terminated the FSM instance, don't fire any more events to prevent use-after-free problems.
 	 * The endpoint FSM does dispatch a term event to its parent, and everything should be cleaned like that. */
-	if (!osmo_mgcpc_ep_fsm_check_state_chg_after_response(ci->ep->fi))
+	if (!osmo_mgcpc_ep_fsm_check_state_chg_after_response(ep->fi)) {
+		/* The ep has deallocated, no need to llist_del(&notify.entry) here. */
 		return;
+	}
 
-	if (notify)
-		osmo_fsm_inst_dispatch(notify, notify_failure, notify_data);
+	if (notify.fi)
+		osmo_fsm_inst_dispatch(notify.fi, notify.failure, notify.data);
+
+	llist_del(&notify.entry);
 }
 
 static int update_endpoint_name(struct osmo_mgcpc_ep_ci *ci, const char *new_endpoint_name)
@@ -472,10 +491,10 @@
 	LOG_CI(ci, LOGL_DEBUG, "received successful response to %s: RTP=%s%s\n",
 	       osmo_mgcp_verb_name(ci->verb),
 	       mgcp_conn_peer_name(ci->got_port_info? &ci->rtp_info : NULL),
-	       ci->notify ? "" : " (not sending a notification)");
+	       ci->notify.fi ? "" : " (not sending a notification)");
 
-	if (ci->notify)
-		osmo_fsm_inst_dispatch(ci->notify, ci->notify_success, ci->notify_data);
+	if (ci->notify.fi)
+		osmo_fsm_inst_dispatch(ci->notify.fi, ci->notify.success, ci->notify.data);
 
 	osmo_mgcpc_ep_fsm_check_state_chg_after_response(ci->ep->fi);
 }
@@ -536,6 +555,11 @@
 				     ((struct osmo_mgcpc_ep*)fi->priv)->T_defs, 5)
 
 /*! Dispatch an actual CRCX/MDCX/DLCX message for this connection.
+ *
+ * If the 'notify' instance deallocates before it received a notification of event_success or event_failure,
+ * osmo_mgcpc_ep_ci_cancel_notify() or osmo_mgcpc_ep_cancel_notify() must be called. It is not harmful to cancel
+ * notification after an event has been received.
+ *
  * \param ci  Connection identifier as obtained from osmo_mgcpc_ep_ci_add().
  * \param verb  MGCP operation to dispatch.
  * \param verb_info  Parameters for the MGCP operation.
@@ -584,16 +608,18 @@
 		.occupied = true,
 		/* .pending = true follows below */
 		.verb = verb,
-		.notify = notify,
-		.notify_success = event_success,
-		.notify_failure = event_failure,
-		.notify_data = notify_data,
+		.notify = {
+			.fi = notify,
+			.success = event_success,
+			.failure = event_failure,
+			.data = notify_data,
+		}
 	};
 	osmo_strlcpy(cleared_ci.label, ci->label, sizeof(cleared_ci.label));
 	osmo_strlcpy(cleared_ci.mgcp_ci_str, ci->mgcp_ci_str, sizeof(cleared_ci.mgcp_ci_str));
 	*ci = cleared_ci;
 
-	LOG_CI_VERB(ci, LOGL_DEBUG, "notify=%s\n", osmo_fsm_inst_name(ci->notify));
+	LOG_CI_VERB(ci, LOGL_DEBUG, "notify=%s\n", osmo_fsm_inst_name(ci->notify.fi));
 
 	if (verb_info)
 		ci->verb_info = *verb_info;
@@ -651,10 +677,39 @@
 		osmo_fsm_inst_dispatch(notify, event_failure, notify_data);
 }
 
+/*! No longer notify for any state changes for any conns of this endpoint.
+ * Useful if the notify instance passed to osmo_mgcpc_ep_ci_request() is about to deallocate.
+ * \param ep  The endpoint FSM instance.
+ * \param notify  Which target to cancel notification for, if NULL cancel all notifications. */
+void osmo_mgcpc_ep_cancel_notify(struct osmo_mgcpc_ep *ep, struct osmo_fsm_inst *notify)
+{
+	struct fsm_notify *n;
+	int i;
+	for (i = 0; i < ARRAY_SIZE(ep->ci); i++) {
+		struct osmo_mgcpc_ep_ci *ci = &ep->ci[i];
+		if (!notify || ci->notify.fi == notify)
+			ci->notify.fi = NULL;
+	}
+	llist_for_each_entry(n, &ep->background_notify, entry) {
+		if (!notify || n->fi == notify)
+			n->fi = NULL;
+	}
+
+}
+
+/* Return the osmo_mgcpc_ep that this conn belongs to. */
+struct osmo_mgcpc_ep *osmo_mgcpc_ep_ci_ep(struct osmo_mgcpc_ep_ci *conn)
+{
+	if (!conn)
+		return NULL;
+	return conn->ep;
+}
+
 static int send_verb(struct osmo_mgcpc_ep_ci *ci)
 {
 	int rc;
 	struct osmo_mgcpc_ep *ep = ci->ep;
+	struct fsm_notify notify;
 
 	if (!ci->occupied || !ci->pending || ci->sent)
 		return 0;
@@ -693,11 +748,14 @@
 		       osmo_mgcp_verb_name(ci->verb), ci->mgcp_ci_str);
 		/* The way this is designed, we actually need to forget all about the ci right away. */
 		mgcp_conn_delete(ci->mgcp_client_fi);
-		if (ci->notify)
-			osmo_fsm_inst_dispatch(ci->notify, ci->notify_success, ci->notify_data);
+		notify = ci->notify;
 		*ci = (struct osmo_mgcpc_ep_ci){
 			.ep = ep,
 		};
+		/* When dispatching an event for this CI, the user may decide to trigger the next request for this conn
+		 * right away. So we must be ready with a cleared *ci. */
+		if (notify.fi)
+			osmo_fsm_inst_dispatch(notify.fi, notify.success, notify.data);
 		break;
 
 	default:
@@ -712,6 +770,7 @@
 {
 	if (!ep)
 		return;
+	osmo_mgcpc_ep_cancel_notify(ep, NULL);
 	osmo_fsm_inst_term(ep->fi, OSMO_FSM_TERM_REGULAR, 0);
 }
 

-- 
To view, visit https://gerrit.osmocom.org/c/osmo-mgw/+/15838
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: osmo-mgw
Gerrit-Branch: master
Gerrit-Change-Id: I41687d7f3a808587ab7f7520f46dcc3c29cff92d
Gerrit-Change-Number: 15838
Gerrit-PatchSet: 1
Gerrit-Owner: neels <nhofmeyr at sysmocom.de>
Gerrit-MessageType: newchange
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20191023/2cc2fd81/attachment.htm>

More information about the gerrit-log mailing list