[Sponsored by CubePilot] Try to fix potential mavlink segfaults on USB disconnect (#26083)

julianoes · web-flow · commit 5fe82aa48564 · 2025-12-12T12:24:02.000-09:00
* mavlink: fix potential use-after-free

If a mavlink instance is force stopped, the main thread might be out of
scope and the receiver thread would be doing a use-after-free.

Instead the receiver thread needs to check its own _should_exit flag.

* mavlink: protect shared data by mutex in dtor

I'm not sure if this potentially fixes any of the segfaults we have seen
on stopping mavlink instances but it potentially could matter if the
mavlink_receiver thread is killed after a timeout and tries to send any
messages as a zombie.
diff --git a/src/modules/mavlink/mavlink_main.cpp b/src/modules/mavlink/mavlink_main.cpp
@@ -163,7 +163,10 @@ Mavlink::~Mavlink()
 	}
 
 	if (_instance_id >= 0) {
-		mavlink_module_instances[_instance_id] = nullptr;
+		{
+			LockGuard lg{mavlink_module_mutex};
+			mavlink_module_instances[_instance_id] = nullptr;
+		}
 		mavlink_instance_count.fetch_sub(1);
 	}
 
diff --git a/src/modules/mavlink/mavlink_receiver.cpp b/src/modules/mavlink/mavlink_receiver.cpp
@@ -3160,7 +3160,7 @@ MavlinkReceiver::run()
 	ssize_t nread = 0;
 	hrt_abstime last_send_update = 0;
 
-	while (!_mavlink.should_exit()) {
+	while (!_should_exit.load()) {
 
 		// check for parameter updates
 		if (_parameter_update_sub.updated()) {

Original file line number	Diff line number	Diff line change
`@@ -163,7 +163,10 @@ Mavlink::~Mavlink()`
`163`	`163`	`}`
`164`	`164`
`165`	`165`	`if (_instance_id >= 0) {`
`166`		`- mavlink_module_instances[_instance_id] = nullptr;`
	`166`	`+ {`
	`167`	`+ LockGuard lg{mavlink_module_mutex};`
	`168`	`+ mavlink_module_instances[_instance_id] = nullptr;`
	`169`	`+ }`
`167`	`170`	`mavlink_instance_count.fetch_sub(1);`
`168`	`171`	`}`
`169`	`172`