• Philippe Gerum's avatar
    cobalt/registry: prevent use-after-free triggered by object removal · d6af41b3
    Philippe Gerum authored
    Since the vfile export and unexport operations are asynchronous,
    returning from xnregistry_remove() is no guarantee that the registered
    object won't be further accessed, especially by the vfile export
    handler.
    
    Plug this race at least for all in-band callers removing objects while
    running on root stage like RTIPC protocols by synchronizing with the
    workqueue which handles deferred export/unexport requests, before
    returning from xnregistry_remove().
    
    This does not cover the issue of removing objects from the head
    stage. Fortunately, all users of the vfile export/unexport mechanism
    are unregistering objects from the root stage only (typically some
    RTDM close() handler).
    
    This issue was reported by KASAN.
    Signed-off-by: Philippe Gerum's avatarPhilippe Gerum <rpm@xenomai.org>
    Signed-off-by: Jan Kiszka's avatarJan Kiszka <jan.kiszka@siemens.com>
    d6af41b3
registry.c 24.4 KB