From 5fe82aa48564c78ecd8e1dc2e195add7c6bb8927 Mon Sep 17 00:00:00 2001 From: Julian Oes Date: Sat, 13 Dec 2025 10:24:02 +1300 Subject: [PATCH] [Sponsored by CubePilot] Try to fix potential mavlink segfaults on USB disconnect (#26083) * mavlink: fix potential use-after-free If a mavlink instance is force stopped, the main thread might be out of scope and the receiver thread would be doing a use-after-free. Instead the receiver thread needs to check its own _should_exit flag. * mavlink: protect shared data by mutex in dtor I'm not sure if this potentially fixes any of the segfaults we have seen on stopping mavlink instances but it potentially could matter if the mavlink_receiver thread is killed after a timeout and tries to send any messages as a zombie. --- src/modules/mavlink/mavlink_main.cpp | 5 ++++- src/modules/mavlink/mavlink_receiver.cpp | 2 +- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/src/modules/mavlink/mavlink_main.cpp b/src/modules/mavlink/mavlink_main.cpp index 3c868b9be9..9ab591f997 100644 --- a/src/modules/mavlink/mavlink_main.cpp +++ b/src/modules/mavlink/mavlink_main.cpp @@ -163,7 +163,10 @@ Mavlink::~Mavlink() } if (_instance_id >= 0) { - mavlink_module_instances[_instance_id] = nullptr; + { + LockGuard lg{mavlink_module_mutex}; + mavlink_module_instances[_instance_id] = nullptr; + } mavlink_instance_count.fetch_sub(1); } diff --git a/src/modules/mavlink/mavlink_receiver.cpp b/src/modules/mavlink/mavlink_receiver.cpp index c913909657..4bccb35b52 100644 --- a/src/modules/mavlink/mavlink_receiver.cpp +++ b/src/modules/mavlink/mavlink_receiver.cpp @@ -3160,7 +3160,7 @@ MavlinkReceiver::run() ssize_t nread = 0; hrt_abstime last_send_update = 0; - while (!_mavlink.should_exit()) { + while (!_should_exit.load()) { // check for parameter updates if (_parameter_update_sub.updated()) {