patacongo commented on PR #8970: URL: https://github.com/apache/nuttx/pull/8970#issuecomment-1497573684
This is the explanation for the change from Fotis Panagiotopoulos: > nxtask_assign_pid() calls kmm_free(g_pidhash). Supposedly, right after > freeing it, it should set again g_pidhash to pidhash; > kmm_free however uses a semaphore. When free is complete, it posts the > semaphore. > nxsem_post() will internally call nxsem_checkholder() to perform the new > check. > This leads to a call to nxsched_get_tcb() that tries to access g_pidhash. > > But! g_pidhash is deallocated at this point! And thus it points to garbage. > > KASAN is right to complain. So the problem has nothing to do with a critical section. It is caused within kmm_free. It frees g_pidhash then calls mm_unlock which, with the assertion logic, looks up the TCB using the stale memory pointed to by g_pidhash. This is not noticeable unless KAZAN is enabled, then it causes an assertion because mm_unlock attempts to use the stle memory. The correct value of g_pidhash must be retained through the kmm_free() call and the only way to do that is to set g_pidhash BEFORE calling kmm_free(). The logic is correct and this change must not be reverted or it will reintroduce the KAZAN failure because it will access freed memory within the kmm_free/mm_unlock logic. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@nuttx.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
