[riot-notifications] [RIOT-OS/RIOT] gnrc_ipv6_nib/nc: remove from _next_removable on remove (#10975)

Martine Lenders notifications at github.com
Fri Feb 8 20:25:47 CET 2019


Ok, I think I got it now! The state corruption happens definitely within the thread, but not due to a remove happening just as something is added to the neighbor cache, but much earlier. It does not lead to a problem immediately due to a quirk of `clist` where the first element is not `list` or `list.next`, but `list.next->next`, so that most of its operations can be done in *O(1)*: `list` is just the entry point into the list, so it never appears in it itself, `list.next` is the last element of the list, so things can be appended in *O(1)* and `list.next->next` is the first.

It's pretty hard to explain, but when the last two **elements** are by change removed directly after each other when the NC is full (which introduces NULL pointers at the last and first **position**) and then two new NC entries are added (which have the same pointer as the removed ones), the NULL pointer at the **position** is first moved to the second **position** and then kept there, due to 

https://github.com/RIOT-OS/RIOT/blob/e78069b3163ec61ec5b691c1eefa5d68309b3263/core/include/clist.h#L115

When another entry is tried to be added, the cache-out mechanism starts running (since the NC is full again) and tries to pop the first **element** (which is the NULL pointer) and it crashes.

When just the **last** element is removed the situation "fixes" itself, since the entry is still referred to by the first position, so re-adding it just leads to a loop of one (breaking the list, but not the system ;-)).

I provided a unittest to reproduce and illustrate the crash (2451fb36f8d5abea2cbb10cc61d60f597a0518e2 while writing this message).

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/RIOT-OS/RIOT/pull/10975#issuecomment-461917017
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riot-os.org/pipermail/notifications/attachments/20190208/d6cca582/attachment-0001.html>


More information about the notifications mailing list