net/rtdev: Commit e972e78e reintroduces memory corruption fixed by 74464ee3

Jan Kiszka jan.kiszka at
Fri Mar 8 13:55:05 CET 2019

On 08.03.19 13:47, Jouko Haapaluoma wrote:
> Hello
> I have been investigating kernel memory corruption issues in our system (Xenomai 2.6.4 and RTnet
> I traced the root cause into the rtdev_map_rtskb() function where a linked list is always grown but not shrinked.
> You have recently created a patch that fixes this: 74464ee3.
> Additionally, there seemed to be a regression and that was fixed in e972e78e. However, this regression fix
> reintroduces the memory corruption in cases where the rtdev does not have the rtdev->map_rtskb function defined.
> Therefore we end up in the situation that was before the 74464ee3: The rtskb_mapwait_list will grow but not shrink.
> If sockets are destroyed and recreated, the rtskb_mapwait_list->next will point to a destroyed skb object which causes a
> use-after-free memory corruption when calling list_add().

Hmpf, right, too bad.

I suppose we should be fine by dropping the rtskb from the waitlist in 
rtdev_unmap_rtskb if it had no dma address set.


Siemens AG, Corporate Technology, CT RDA IOT SES-DE
Corporate Competence Center Embedded Linux

More information about the Xenomai mailing list