From e399daa67e5bdf903ed851d6fa52b871f60fa004 Mon Sep 17 00:00:00 2001 From: Amaury Denoyelle Date: Wed, 21 May 2025 11:24:57 +0200 Subject: [PATCH] BUG/MEDIUM: mux-quic: fix BUG_ON() on rxbuf alloc error RX buffer allocation has been reworked in current dev tree. The objective is to support multiple buffers per QCS to improve upload throughput. RX buffer allocation failure is handled simply : the whole connection is closed. This is done via qcc_set_error(), with INTERNAL_ERROR as error code. This function contains a BUG_ON() to ensure it is called only one time per connection instance. On RX buffer alloc failure, the aformentioned BUG_ON() crashes due to a double invokation of qcc_set_error(). First by qcs_get_rxbuf(), and immediately after it by qcc_recv(), which is the caller of the previous one. This regression was introduced by the following commit. 60f64449fbba7bb6e351e8343741bb3c960a2e6d MAJOR: mux-quic: support multiple QCS RX buffers To fix this, simply remove qcc_set_error() invocation in qcs_get_rxbuf(). On buffer alloc failture, qcc_recv() is responsible to set the error. This does not need to be backported. --- src/mux_quic.c | 1 - 1 file changed, 1 deletion(-) diff --git a/src/mux_quic.c b/src/mux_quic.c index b335eaecf..68377498a 100644 --- a/src/mux_quic.c +++ b/src/mux_quic.c @@ -1732,7 +1732,6 @@ static struct qc_stream_rxbuf *qcs_get_rxbuf(struct qcs *qcs, uint64_t offset, ncbuf = &buf->ncb; if (!qcs_get_ncbuf(qcs, ncbuf) || ncb_is_null(ncbuf)) { TRACE_ERROR("receive ncbuf alloc failure", QMUX_EV_QCC_RECV|QMUX_EV_QCS_RECV, qcc->conn, qcs); - qcc_set_error(qcc, QC_ERR_INTERNAL_ERROR, 0); goto err; }