Module: xenomai-forge
Branch: next
Commit: e56e2141bbbfba5e5d76b88365de3e349be8c300
URL:    
http://git.xenomai.org/?p=xenomai-forge.git;a=commit;h=e56e2141bbbfba5e5d76b88365de3e349be8c300

Author: Philippe Gerum <r...@xenomai.org>
Date:   Mon Jul 22 16:19:10 2013 +0200

cobalt/kernel: fix stale memory access upon task exit

---

 kernel/cobalt/pod.c    |    7 ++-----
 kernel/cobalt/sched.c  |    2 +-
 kernel/cobalt/shadow.c |   14 ++++++++++----
 3 files changed, 13 insertions(+), 10 deletions(-)

diff --git a/kernel/cobalt/pod.c b/kernel/cobalt/pod.c
index 78f14c4..7b94d2a 100644
--- a/kernel/cobalt/pod.c
+++ b/kernel/cobalt/pod.c
@@ -793,13 +793,10 @@ static void cleanup_thread(struct xnthread *thread) /* 
nklock held, irqs off */
        if (moving_target(sched, thread))
                return;
 
-       xnshadow_unmap(thread);
        xnsched_forget(thread);
-       /*
-        * We may wipe the TCB out now that the unmap_thread() handler
-        * has run (in xnshadow_unmap()).
-        */
        xnthread_cleanup(thread);
+       /* Unmap last since this incurs releasing the TCB. */
+       xnshadow_unmap(thread);
 
        if (xnthread_test_state(sched->curr, XNROOT))
                xnfreesync();
diff --git a/kernel/cobalt/sched.c b/kernel/cobalt/sched.c
index f8df929..1d75926 100644
--- a/kernel/cobalt/sched.c
+++ b/kernel/cobalt/sched.c
@@ -253,8 +253,8 @@ void xnsched_zombie_hooks(struct xnthread *thread)
                   "thread_out %p thread_out_name %s",
                   thread, xnthread_name(thread));
 
-       xnshadow_unmap(thread);
        xnsched_forget(thread);
+       xnshadow_unmap(thread);
 }
 
 void __xnsched_finalize_zombie(struct xnsched *sched)
diff --git a/kernel/cobalt/shadow.c b/kernel/cobalt/shadow.c
index c53d1a2..1a41e85 100644
--- a/kernel/cobalt/shadow.c
+++ b/kernel/cobalt/shadow.c
@@ -2191,6 +2191,7 @@ int ipipe_syscall_hook(struct ipipe_domain *ipd, struct 
pt_regs *regs)
 
 static int handle_taskexit_event(struct task_struct *p) /* p == current */
 {
+       struct xnpersonality *personality;
        struct xnsys_ppd *sys_ppd;
        struct xnthread *thread;
        struct mm_struct *mm;
@@ -2204,6 +2205,7 @@ static int handle_taskexit_event(struct task_struct *p) 
/* p == current */
 
        thread = xnshadow_current();
        XENO_BUGON(NUCLEUS, thread == NULL);
+       personality = thread->personality;
 
        trace_mark(xn_nucleus, shadow_exit, "thread %p thread_name %s",
                   thread, xnthread_name(thread));
@@ -2213,9 +2215,6 @@ static int handle_taskexit_event(struct task_struct *p) 
/* p == current */
 
        xnthread_run_handler(thread, exit_thread);
 
-       /* __xnpod_cleanup_thread() -> ... -> xnshadow_unmap() */
-       __xnpod_cleanup_thread(thread);
-
        if (xnthread_test_state(thread, XNUSER)) {
                xnlock_get_irqsave(&nklock, s);
                sys_ppd = xnsys_ppd_get(0);
@@ -2227,7 +2226,14 @@ static int handle_taskexit_event(struct task_struct *p) 
/* p == current */
                        ppd_remove_mm(mm, detach_ppd);
        }
 
-       leave_personality(thread->personality);
+       /*
+        * __xnpod_cleanup_thread() -> ... -> xnshadow_unmap(). From
+        * that point, the TCB is dropped. Be careful of not treading
+        * on stale memory within @thread.
+        */
+       __xnpod_cleanup_thread(thread);
+
+       leave_personality(personality);
        destroy_threadinfo();
 
        return EVENT_PROPAGATE;


_______________________________________________
Xenomai-git mailing list
Xenomai-git@xenomai.org
http://www.xenomai.org/mailman/listinfo/xenomai-git

Reply via email to