Re: [PR] Fix task_setup race condition [nuttx]

Tue, 27 Aug 2024 07:36:33 -0700 


Gary-Hobson commented on code in PR #13129:
URL: https://github.com/apache/nuttx/pull/13129#discussion_r1730037733


##########
sched/task/task_setup.c:
##########
@@ -140,13 +140,28 @@ static int nxtask_assign_pid(FAR struct tcb_s *tcb)
    * expand space.
    */
 
+  temp = g_pidhash;
+
+  /* Calling malloc in a critical section may cause thread switching.
+   * Here we check whether other threads have applied successfully,
+   * and if successful, return directly
+   */
+

Review Comment:
   This situation is handled in line 158:
   1. If no thread switch occurs, there is no effect
   2. If a thread switch occurs but g_pidhash does not change, this does not 
affect the subsequent process
   3. If a thread switch occurs and g_pidhash changes, a retry will be performed



##########
sched/task/task_setup.c:
##########
@@ -170,6 +170,16 @@ static int nxtask_assign_pid(FAR struct tcb_s *tcb)
 
   for (i = 0; i < g_npidhash / 2; i++)
     {
+      if (g_pidhash[i] == NULL)
+        {
+          /* If the pid is not used, skip it.
+           * This may be triggered when a context switch occurs
+           * during mm_malloc and a thread is destroyed.
+           */

Review Comment:
   This may cause problems, g_npidhash has been expanded, but g_pidhash is 
still the original size. If you iterate g_npidhash, accessing g_pidhash will 
cause a memory out of bounds.



##########
sched/task/task_setup.c:
##########
@@ -155,6 +155,7 @@ static int nxtask_assign_pid(FAR struct tcb_s *tcb)
 
   for (i = 0; i < g_npidhash / 2; i++)
     {
+      DEBUGASSERT(g_pidhash[i] != NULL);

Review Comment:
   Yes, I received a feedback earlier today that an illegal pointer access is 
triggered here.
   There may also be a race condition when the thread exits.



##########
sched/task/task_setup.c:
##########
@@ -155,14 +170,23 @@ static int nxtask_assign_pid(FAR struct tcb_s *tcb)
 
   for (i = 0; i < g_npidhash / 2; i++)
     {
+      if (g_pidhash[i] == NULL)
+        {
+          /* If the pid is not used, skip it.
+           * This may be triggered when a context switch occurs
+           * during mm_malloc and a thread is destroyed.
+           */
+
+          continue;
+        }
+
       hash_ndx = PIDHASH(g_pidhash[i]->pid);
       DEBUGASSERT(pidhash[hash_ndx] == NULL);
       pidhash[hash_ndx] = g_pidhash[i];
     }
 
   /* Release resource for original g_pidhash, using new g_pidhash */
 
-  temp = g_pidhash;
   g_pidhash = pidhash;
   kmm_free(temp);

Review Comment:
   done



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to