From: Jan Kiszka <jan.kiszka@domain.hid>
To: xenomai-core <xenomai@xenomai.org>
Subject: [Xenomai-core] Race in rpi_clear_remote?
Date: Mon, 26 Apr 2010 15:43:22 +0200 [thread overview]
Message-ID: <4BD5987A.2050804@domain.hid> (raw)
Hi,
I'm meditating over an oops in rpi_clear_remote. NULL pointer deref, it
/seems/ like thread->rpi is invalid. Looking at the code, I wonder if
this could explain the bug:
static void rpi_clear_remote(struct xnthread *thread)
{
...
rpi = thread->rpi;
if (unlikely(rpi == NULL))
return;
xnlock_get_irqsave(&rpi->rpilock, s);
/*
* The RPI slot - if present - is always valid, and won't
* change since the thread is resuming on this CPU and cannot
* migrate under our feet. We may grab the remote slot lock
* now.
*/
xnsched_pop_rpi(thread);
thread->rpi = NULL;
...
So we deref (xnsched_pop_rpi) and clear thread->rpi under rpilock, but
we check for it without any protection? Sounds racy. I think 'thread' is
not only pointing to the current thread but could refer to a foreign one
as well, right? Don't we need this:
diff --git a/ksrc/nucleus/shadow.c b/ksrc/nucleus/shadow.c
index 872c37f..1f995d6 100644
--- a/ksrc/nucleus/shadow.c
+++ b/ksrc/nucleus/shadow.c
@@ -331,6 +331,12 @@ static void rpi_clear_remote(struct xnthread *thread)
xnlock_get_irqsave(&rpi->rpilock, s);
+ /* Re-check under lock, someone may have cleared rpi by now. */
+ if (unlikely(thread->rpi == NULL)) {
+ xnlock_put_irqrestore(&rpi->rpilock, s);
+ return;
+ }
+
/*
* The RPI slot - if present - is always valid, and won't
* change since the thread is resuming on this CPU and cannot
Jan
--
Siemens AG, Corporate Technology, CT T DE IT 1
Corporate Competence Center Embedded Linux
next reply other threads:[~2010-04-26 13:43 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-04-26 13:43 Jan Kiszka [this message]
2010-04-26 13:51 ` [Xenomai-core] Race in rpi_clear_remote? Jan Kiszka
2010-04-26 16:06 ` [Xenomai-core] [PATCH] nucleus: Plug race between rpi_clear_remote and rpi_next Jan Kiszka
2010-04-26 16:11 ` Jan Kiszka
2010-04-27 1:19 ` Philippe Gerum
2010-04-27 6:46 ` Jan Kiszka
2010-04-27 8:13 ` Philippe Gerum
2010-04-27 8:25 ` Jan Kiszka
2010-04-27 9:12 ` Philippe Gerum
2010-04-27 9:27 ` Jan Kiszka
2010-04-27 9:32 ` Philippe Gerum
2010-04-27 9:34 ` Jan Kiszka
2010-04-27 9:51 ` Philippe Gerum
2010-04-27 10:40 ` Jan Kiszka
2010-05-01 17:26 ` Philippe Gerum
2010-05-01 17:47 ` Jan Kiszka
2010-05-01 18:59 ` Philippe Gerum
2010-05-02 9:08 ` Jan Kiszka
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4BD5987A.2050804@domain.hid \
--to=jan.kiszka@domain.hid \
--cc=xenomai@xenomai.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.