We are currently leaking user space heap/queue objects when the owner
terminates without deleting them before. Fix it by releasing the objects
in the corresponding cleanup callbacks which are also called on owner
termination.

Signed-off-by: Jan Kiszka <jan.kis...@siemens.com>
---

 ksrc/skins/native/heap.c    |    5 +++++
 ksrc/skins/native/queue.c   |    5 +++++
 ksrc/skins/native/syscall.c |   25 ++++++-------------------
 3 files changed, 16 insertions(+), 19 deletions(-)

diff --git a/ksrc/skins/native/heap.c b/ksrc/skins/native/heap.c
index f7411e8..886758c 100644
--- a/ksrc/skins/native/heap.c
+++ b/ksrc/skins/native/heap.c
@@ -341,6 +341,11 @@ static void __heap_post_release(struct xnheap *h)
                xnpod_schedule();
 
        xnlock_put_irqrestore(&nklock, s);
+
+#ifdef CONFIG_XENO_OPT_PERVASIVE
+       if (heap->cpid)
+               xnfree(heap);
+#endif
 }
 
 /**
diff --git a/ksrc/skins/native/queue.c b/ksrc/skins/native/queue.c
index 3592a4a..249947a 100644
--- a/ksrc/skins/native/queue.c
+++ b/ksrc/skins/native/queue.c
@@ -303,6 +303,11 @@ static void __queue_post_release(struct xnheap *heap)
                xnpod_schedule();
 
        xnlock_put_irqrestore(&nklock, s);
+
+#ifdef CONFIG_XENO_OPT_PERVASIVE
+       if (q->cpid)
+               xnfree(q);
+#endif
 }
 
 /**
diff --git a/ksrc/skins/native/syscall.c b/ksrc/skins/native/syscall.c
index 28c720e..cb9f075 100644
--- a/ksrc/skins/native/syscall.c
+++ b/ksrc/skins/native/syscall.c
@@ -2073,24 +2073,17 @@ static int __rt_queue_delete(struct pt_regs *regs)
 {
        RT_QUEUE_PLACEHOLDER ph;
        RT_QUEUE *q;
-       int err;
 
        if (__xn_safe_copy_from_user(&ph, (void __user *)__xn_reg_arg1(regs),
                                     sizeof(ph)))
                return -EFAULT;
 
        q = (RT_QUEUE *)xnregistry_fetch(ph.opaque);
-
        if (!q)
-               err = -ESRCH;
-       else {
-               /* Callee will check the queue descriptor for validity again. */
-               err = rt_queue_delete_inner(q, (void __user *)ph.mapbase);
-               if (!err && q->cpid)
-                       xnfree(q);
-       }
+               return -ESRCH;
 
-       return err;
+       /* Callee will check the queue descriptor for validity again. */
+       return rt_queue_delete_inner(q, (void __user *)ph.mapbase);
 }
 
 /*
@@ -2604,7 +2597,6 @@ static int __rt_heap_delete(struct pt_regs *regs)
 {
        RT_HEAP_PLACEHOLDER ph;
        RT_HEAP *heap;
-       int err;
 
        if (__xn_safe_copy_from_user(&ph, (void __user *)__xn_reg_arg1(regs),
                                     sizeof(ph)))
@@ -2613,15 +2605,10 @@ static int __rt_heap_delete(struct pt_regs *regs)
        heap = (RT_HEAP *)xnregistry_fetch(ph.opaque);
 
        if (!heap)
-               err = -ESRCH;
-       else {
-               /* Callee will check the heap descriptor for validity again. */
-               err = rt_heap_delete_inner(heap, (void __user *)ph.mapbase);
-               if (!err && heap->cpid)
-                       xnfree(heap);
-       }
+               return -ESRCH;
 
-       return err;
+       /* Callee will check the heap descriptor for validity again. */
+       return rt_heap_delete_inner(heap, (void __user *)ph.mapbase);
 }
 
 /*


_______________________________________________
Xenomai-core mailing list
Xenomai-core@gna.org
https://mail.gna.org/listinfo/xenomai-core

Reply via email to