luchianmihai/walnux
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

signal: use work_cancel_sync() to fix used after free

Browse source 
bug:

user thread:                             hpwork:
timer_create() with SIGEV_THREAD
timer_settime()
    irq -> work_queue()                  add nxsig_notification_worker to Q
timer_delete()
    nxsig_cancel_notification()
                                         call nxsig_notification_worker()
    work_cancel()
    timer_free()
                                         nxsig_notification_worker() used after free

root cause:
work_cancel() can't cancel work completely, the worker may alreay be running.

resolve:
use work_cancel_sync() API to cancel the work completely

Signed-off-by: ligd <liguiding1@xiaomi.com>
This commit is contained in:
ligd 2023-08-28 22:06:04 +08:00 committed by Xiang Xiao
parent 61ef7eb3dc
commit 415fe60695
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
sched/signal/sig_notification.c
View file

@ -175,6 +175,6 @@ int nxsig_notification(pid_t pid, FAR struct sigevent *event,
#ifdef CONFIG_SIG_EVTHREAD
void nxsig_cancel_notification(FAR struct sigwork_s *work)
{
work_cancel(SIG_EVTHREAD_WORK, &work->work);
work_cancel_sync(SIG_EVTHREAD_WORK, &work->work);
}
#endif