From: Philippe Gerum <rpm@xenomai.org>
To: Andreas Glatz <andreasglatz@domain.hid>
Cc: xenomai@xenomai.org
Subject: Re: [Xenomai-core] Kernel crash in xnheap_test_and_free (native/heap.c)
Date: Wed, 18 Mar 2009 22:53:25 +0100 [thread overview]
Message-ID: <49C16D55.1080003@domain.hid> (raw)
In-Reply-To: <1237393895.5495.7.camel@domain.hid>
Andreas Glatz wrote:
> Hi,
>
> I got a kernel crash because inside xnheap_test_and_free a
> invalid pointer contained in variable 'nextpage' is dereferenced:
>
<snip>
This turned out to be caused by an out-of-bound write triggered by the streaming
output service.
The patch below fixes the issue; it has been committed to both the maintenance
(v2.4.x) and development branches.
Sidenote: your test scenario involves echoing some data to /dev/rtp0 for
triggering the issue; this will now work, but you won't get that input available
to rt_pipe_read(). In case you wonder why, the reason is that 'echo' will exit
immediately after sending the bytes, which will cause the user-space side of the
channel to be closed, and the input queue (the one that goes user -> kernel) to
be flushed from any pending data.
--- ksrc/skins/native/pipe.c (revision 4712)
+++ ksrc/skins/native/pipe.c (working copy)
@@ -110,6 +110,7 @@
/* Reset the streaming buffer. */
xnlock_get_irqsave(&nklock, s);
pipe->fillsz = 0;
+ xnpipe_m_size(pipe->buffer) = 0;
__clear_bit(P_SYNCWAIT, &pipe->status);
__clear_bit(P_ATOMIC, &pipe->status);
xnlock_put_irqrestore(&nklock, s);
@@ -284,8 +285,8 @@
NULL);
return -ENOMEM;
}
- inith(&pipe->buffer->link);
- pipe->buffer->size = streamsz - sizeof(RT_PIPE_MSG);
+ inith(xnpipe_m_link(pipe->buffer));
+ xnpipe_m_size(pipe->buffer) = streamsz - sizeof(RT_PIPE_MSG);
#endif /* CONFIG_XENO_OPT_NATIVE_PIPE_BUFSZ > 0 */
ops.output = NULL;
@@ -881,8 +882,10 @@
goto unlock_and_exit;
}
- if (size > CONFIG_XENO_OPT_NATIVE_PIPE_BUFSZ - pipe->fillsz)
- outbytes = CONFIG_XENO_OPT_NATIVE_PIPE_BUFSZ - pipe->fillsz;
+ if (size > CONFIG_XENO_OPT_NATIVE_PIPE_BUFSZ
+ - sizeof(RT_PIPE_MSG) - pipe->fillsz)
+ outbytes = CONFIG_XENO_OPT_NATIVE_PIPE_BUFSZ
+ - sizeof(RT_PIPE_MSG) - pipe->fillsz;
else
outbytes = size;
--
Philippe.
next prev parent reply other threads:[~2009-03-18 21:53 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-03-18 16:31 [Xenomai-core] Kernel crash in xnheap_test_and_free (native/heap.c) Andreas Glatz
2009-03-18 17:04 ` Andreas Glatz
2009-03-18 17:38 ` Philippe Gerum
2009-03-18 21:53 ` Philippe Gerum [this message]
2009-03-18 22:01 ` Philippe Gerum
2009-03-19 13:24 ` Andreas Glatz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=49C16D55.1080003@domain.hid \
--to=rpm@xenomai.org \
--cc=andreasglatz@domain.hid \
--cc=xenomai@xenomai.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.