Commit d6af41b3 authored by Philippe Gerum's avatar Philippe Gerum Committed by Jan Kiszka

cobalt/registry: prevent use-after-free triggered by object removal

Since the vfile export and unexport operations are asynchronous,
returning from xnregistry_remove() is no guarantee that the registered
object won't be further accessed, especially by the vfile export
handler.

Plug this race at least for all in-band callers removing objects while
running on root stage like RTIPC protocols by synchronizing with the
workqueue which handles deferred export/unexport requests, before
returning from xnregistry_remove().

This does not cover the issue of removing objects from the head
stage. Fortunately, all users of the vfile export/unexport mechanism
are unregistering objects from the root stage only (typically some
RTDM close() handler).

This issue was reported by KASAN.
Signed-off-by: Philippe Gerum's avatarPhilippe Gerum <rpm@xenomai.org>
Signed-off-by: Jan Kiszka's avatarJan Kiszka <jan.kiszka@siemens.com>
parent 997b8e18
......@@ -850,8 +850,12 @@ int xnregistry_remove(xnhandle_t handle)
* Leave the update of the object queues to
* the work callback if it has been kicked.
*/
if (object->pnode)
goto unlock_and_exit;
if (object->pnode) {
xnlock_put_irqrestore(&nklock, s);
if (ipipe_root_p)
flush_work(&registry_proc_work);
return 0;
}
}
#endif /* CONFIG_XENO_OPT_VFILE */
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment