• Philippe Gerum's avatar
    cobalt/registry: prevent use-after-free triggered by object removal · d6af41b3
    Philippe Gerum authored
    Since the vfile export and unexport operations are asynchronous,
    returning from xnregistry_remove() is no guarantee that the registered
    object won't be further accessed, especially by the vfile export
    handler.
    
    Plug this race at least for all in-band callers removing objects while
    running on root stage like RTIPC protocols by synchronizing with the
    workqueue which handles deferred export/unexport requests, before
    returning from xnregistry_remove().
    
    This does not cover the issue of removing objects from the head
    stage. Fortunately, all users of the vfile export/unexport mechanism
    are unregistering objects from the root stage only (typically some
    RTDM close() handler).
    
    This issue was reported by KASAN.
    Signed-off-by: Philippe Gerum's avatarPhilippe Gerum <rpm@xenomai.org>
    Signed-off-by: Jan Kiszka's avatarJan Kiszka <jan.kiszka@siemens.com>
    d6af41b3
Name
Last commit
Last update
config Loading commit data...
debian Loading commit data...
demo Loading commit data...
doc Loading commit data...
include Loading commit data...
kernel Loading commit data...
lib Loading commit data...
scripts Loading commit data...
testsuite Loading commit data...
utils Loading commit data...
.clang-format Loading commit data...
.gitignore Loading commit data...
.travis.yml Loading commit data...
CONTRIBUTING.md Loading commit data...
Makefile.am Loading commit data...
README Loading commit data...
configure.ac Loading commit data...