FreeRTOS LwIP SDK v2.0.0 tpcipecho demo crash

Hello Daniel and Wilco,

I have the same problem. I use K64 with KSDK2.0 + LWIP and IAR Workbench.

I use the internal buffer in "pbuf.c" with pbuf_alloc().

The size of PBUF is set to 256, so I get the error quick.

#define PBUF_POOL_BUFSIZE       256

I investigated the problem.

--> the memory corruption happens every time when a incomming packet is greater than PBUF_POOL_BUFSIZE.

The bug is in KSDK_2.0\middleware\lwip_1.4.1\port\ethernetif.c.

In function ethernetif_Input() the buffer is allocated from PBUF_POOL with length. Every time the length is greater than one single buffer size, you get back a chain of buffers. --> this memory area is not continuous!!!!

Then ENET_ReadFrame() is called with the first buffer and the full length..... there happens the shit.

--> data is copied across the buffer boundary. --> you know what that means....

Can someone please have a look on this things... and confirm, that I'm right.

For a quick workaround I changed the pool size to maximum incomming packet size. So the allocated buffer memory is always continous.

#define PBUF_POOL_BUFSIZE       1518U /*=ENET_FRAME_MAX_FRAMELEN*/

This works. But much memory is wasted and it ist slow.

The function ethernetif_Input() should be reviewed and work with chained buffers.

Best regards

Manfred

Hi Manfred:

Thanks for your effort  to locate the root cause.  By increasing PBUF_POOL_BUFSIZE to contain the whole Ethernet frame is the fix.  This issue is present for KSDK 2.0 Rel1(or older). Not for current. For K64, Rel1 is the latest.

If you need good performance and not waste much memory, I think you can keep the PBUF_POOL_BUFSIZE as original, and  discard the long-size incoming packet in ethernet driver (will lose long size packet), it depends on your requirement.

Regards

Daniel

Hi Daniel,

thank you for confirming the fix.

It's not an option to lose long packets.

In the meantime I revised the ethernetif_Input() function.

Now it works with chained buffers, when necessary. And updates the LINK_STATS of lwip.

Best regards.

Manfred

I have the exact same problem. I'm setup to receive udp broadcast messages and some of the messages are to large causing this same memory issue. I temporarily fixed it increasing the PBUF_POOL_BUFSIZE but I am curious what changes you made to ethernetif_Input() Manfred, you ok to share your changes? I'm also curious when we will see the fix for download available for K64 Daniel?

Hi Wesley,

I think I can share the revised ethernetif_input(). But I do this without any warranty.

This job should be done by NXP...

Take care...  this function sometime needs a big local buffer with size  ENET_FRAME_MAX_FRAMELEN !!!

Best regards

Manfred

void ethernetif_input(enet_handle_t *handle, void *param)
{
    struct eth_hdr *ethhdr;
    struct pbuf *packetTempBuffer;
    status_t status;
    uint32_t length = 0;
    struct netif *netif = param;
    static enet_data_error_stats_t eErrStatic; // to get the error statically
    // by MS enet_data_error_stats_t eErrStatic;
    uint32_t localLen;
    uint32_t workedBytes;
    uint32_t lengthToCopy;
    static uint16_t type;

    /* Check input parameter */
    if (netif == NULL)
    {
        LWIP_ASSERT("Input param is NULL", 0);
        /* Should not reach this statement if error occurs */
        return;
    }
    /* Read all data from ring buffer and send to uper layer */
    do
    {
        /* Get the Frame size */
        status = ENET_GetRxFrameSize(handle, &length);

        /* Call ENET_ReadFrame when there is a received frame. */
        if (length != 0)
        {
            uint8_t *receivedDataBuffer;
            struct pbuf *packetBuffer;

            packetBuffer = pbuf_alloc(PBUF_RAW, length, PBUF_POOL);

            /* Received valid frame. Deliver the rx buffer with the size equal to length. */
            if ((packetBuffer == NULL) || (packetBuffer->payload == NULL))
            {
                pbuf_free(packetBuffer);
                packetBuffer = NULL;
                LWIP_ASSERT("Fail to allocate new memory space", 0);
                LINK_STATS_INC(link.memerr);
                /* Should not reach this statement if error occurs */
                return;
            }
            if ( length <= PBUF_POOL_BUFSIZE )   {
              // target buffer
              receivedDataBuffer = packetBuffer->payload;
              packetBuffer->len = (u16_t)length;
              // read direct to one buffer
              ENET_ReadFrame(ENET, handle, receivedDataBuffer, packetBuffer->len);
              LINK_STATS_INC(link.recv);
            }
            else {
              // read to one temp buffer and copy then to allocated memory
              unsigned char ucBuffer[ENET_FRAME_MAX_FRAMELEN];

              if ( length > ENET_FRAME_MAX_FRAMELEN )  {
                  pbuf_free(packetBuffer);
                  packetBuffer = NULL;
                  LWIP_ASSERT("Fail length > ENET_FRAME_MAX_FRAMELEN", 0);
                  LINK_STATS_INC(link.lenerr);
                  /* Should not reach this statement if error occurs */
                  return;
              }

              // read local
              ENET_ReadFrame(ENET, handle, ucBuffer, length);
              LINK_STATS_INC(link.recv);

              // take the total length
              localLen = length; 
              workedBytes = 0;

              packetTempBuffer = packetBuffer;
              while ( (localLen) && (packetTempBuffer != NULL) )  {

                lengthToCopy = localLen;
                if ( lengthToCopy > packetTempBuffer->len ) {
                  lengthToCopy = packetTempBuffer->len;
                }

                // copy one part
                memcpy(packetTempBuffer->payload, &ucBuffer[workedBytes], lengthToCopy);

                // next buffer in chain
                packetTempBuffer = packetTempBuffer->next;

                localLen -= lengthToCopy;
                workedBytes += lengthToCopy; 
              };

            }
            /* points to packet payload, which starts with an Ethernet header */
            ethhdr = packetBuffer->payload;
            type = htons(ethhdr->type);
            switch (type)
            {
                /* IP or ARP packet? */
                case ETHTYPE_IP:
                case ETHTYPE_ARP:
#if PPPOE_SUPPORT
                /* PPPoE packet? */
                case ETHTYPE_PPPOEDISC:
                case ETHTYPE_PPPOE:
#endif /* PPPOE_SUPPORT */
                    /* full packet send to tcpip_thread to process */
                    if (netif->input(packetBuffer, netif) != ERR_OK)
                    {
                        LWIP_DEBUGF(NETIF_DEBUG, ("ethernetif_input: IP input error\n"));
                        pbuf_free(packetBuffer);
                        packetBuffer = NULL;
                    }
                    break;
                default:
                    pbuf_free(packetBuffer);
                    packetBuffer = NULL;
                    LINK_STATS_INC(link.drop);     
                    break;
            }
        }
        else
        {
            /* Update the received buffer when error happened. */
            if ( (status != kStatus_Success) && (status != kStatus_ENET_RxFrameEmpty) )
            {
                /* Get the error information of the received g_frame. */
                ENET_GetRxErrBeforeReadFrame(handle, &eErrStatic);
                /* update the receive buffer. */
                ENET_ReadFrame(ENET, handle, NULL, 0);
                LINK_STATS_INC(link.err);     
            }
        }
    } while (kStatus_ENET_RxFrameEmpty != status);
}

this solution requires 1.5K of stack memory. as suggested in my report of the same issue, the easiest thing to do is to allocate a PBUF_RAM buffer if the packet doesn't fit into the allocated PBUF_POOL buffer.

increasing PBUF_POOL_BUFSIZE to 1.5K is actually a pretty inefficient solution and will waste a lot of memory - lwip is written to deal with pbuf chains, and this allows for more efficient memory management.

the real solution is to make ENET_ReadFrame do partial reads.

Hi Deomid,

my solution needs 1.5K stack, that's true. I prefer a static allocated buffer, instead of a dynamic allocated memory from heap. That may lead to memory defragmentation dependent on network load.

increasing PBUF_POOL_BUFSIZE to 1.5K  --> is just a cheap workaround with many disatvantages.

"the real solution is to make ENET_ReadFrame do partial reads." --> yes ENET_ReadFrame should read direct to chained buffers. --> this API should be revised again by NXP.

I'm curious, when we will get a reworked KSDK2.x.... There is enough to improve for NXP.....

Best regards

Manfred

ENET_ReadFrame should read direct to chained buffers.

ENET_ReadFrame is not lwip-specific and making it aware of pbuf chains would be wrong. however, there is a simpler solution: right now ENET_ReadFrame it assumes that length is enough to accommodate entire frame. instead, it just needs to read as much of the frame as the passed length parameter allows and leave the rest in the buffer(s). ethernetif_input should then loop over the allocate pbuf chain and call ENET_ReadFrame repeatedly until the frame is fully copied.

Hi:

Yes, I think this API should be revised again.

Hi Daniel,

Thanks for your reaction!

Yes, that's the demo I use. I didn't modify the code (except for a different IP address). But we have a heavily used network at work. E.g we have one device on the network (network with more than 50 devices) which sends quite often a broadcast with one package length of 682 bytes or more (seen with Wireshark). I'm not sending anything to the demo myself, I only connect to it.

At my home (very small hardly used network) I don't have this problem of the crash. There it works fine for more than 30 min.

That's making me scared because the final device should work very reliable on every network.

Maybe you can reproduce by sending a broadcast which has a package with a very large package length (say >682 bytes).

Regards,

Wilco