Changeset 07d4271 in mainline for kernel/generic/src/ipc/ipc.c

Timestamp:

2024-01-25T16:22:55Z (12 months ago)

Author:

Jiří Zárevúcky <zarevucky.jiri@…>

Branches:

master

Children:

f8b69a1e

Parents:

1a1e124

git-author:

Jiří Zárevúcky <zarevucky.jiri@…> (2024-01-25 15:56:31)

git-committer:

Jiří Zárevúcky <zarevucky.jiri@…> (2024-01-25 16:22:55)

Message:

Fix some unsound task reference manipulation and locking

In some operations that take task ID as an argument,
there's a possibility of the task being destroyed mid-operation
and a subsequent use-after-free situation.
As a general solution, task_find_by_id() is reimplemented to
check for this situation and always return a valid strong reference.
The callers then only need to handle the reference itself, and
don't need to concern themselves with tasks_lock.

File:

• kernel/generic/src/ipc/ipc.c (modified) (1 diff)

kernel/generic/src/ipc/ipc.c

@@ -967 +967 @@
 void ipc_print_task(task_id_t taskid)
 {
-        irq_spinlock_lock(&tasks_lock, true);
         task_t *task = task_find_by_id(taskid);
-        if (!task) {
-                irq_spinlock_unlock(&tasks_lock, true);
+        if (!task)
                 return;
-        }
-        task_hold(task);
-        irq_spinlock_unlock(&tasks_lock, true);
 
         printf("[phone cap] [calls] [state\n");