From 9aa6573359ffad41ef197b7f83623d7cbdeca068 Mon Sep 17 00:00:00 2001 From: cinap_lenrek Date: Sat, 26 Mar 2016 02:37:42 +0100 Subject: kernel: fix tsleep()/twakeup()/tsemacquire() race tsleep() used to cancel the timer with: if(up->tt != nil) timerdel(up); which still can result in twakeup() to fire after tsleep() returns (because we set Timer.tt to nil *before* we call the tfn). in most cases, this is not an issue as the Rendez* usually is just &up->sleep, but when it is dynamically allocated or on the stack like in tsemacquire(), twakeup() will call wakeup() on a potentially garbage Rendez structure! to fix the race, we execute the wakup() with the Timer lock held, and set p->trend to nil only after we called wakeup(). that way, the timerdel(); which unconditionally locks the Timer; can act as a proper barrier and use up->trend == nil as the condition if the timer has already fired. --- sys/src/9/port/proc.c | 27 +++++++++++++++++++-------- 1 file changed, 19 insertions(+), 8 deletions(-) diff --git a/sys/src/9/port/proc.c b/sys/src/9/port/proc.c index 412a8eef9..3012cbeaa 100644 --- a/sys/src/9/port/proc.c +++ b/sys/src/9/port/proc.c @@ -822,24 +822,37 @@ tfn(void *arg) return up->trend == nil || up->tfn(arg); } -void +static void twakeup(Ureg*, Timer *t) { Proc *p; Rendez *trend; + ilock(t); p = t->ta; trend = p->trend; - p->trend = nil; - if(trend != nil) + if(trend != nil){ wakeup(trend); + p->trend = nil; + } + iunlock(t); +} + +static void +stoptimer(void) +{ + if(up->trend != nil){ + up->trend = nil; + timerdel(up); + } } void tsleep(Rendez *r, int (*fn)(void*), void *arg, ulong ms) { if(up->tt != nil){ - print("tsleep: timer active: mode %d, tf %#p\n", up->tmode, up->tf); + print("%s %lux: tsleep timer active: mode %d, tf %#p, pc %#p\n", + up->text, up->pid, up->tmode, up->tf, getcallerpc(&r)); timerdel(up); } up->tns = MS2NS(ms); @@ -851,13 +864,11 @@ tsleep(Rendez *r, int (*fn)(void*), void *arg, ulong ms) timeradd(up); if(waserror()){ - timerdel(up); + stoptimer(); nexterror(); } sleep(r, tfn, arg); - if(up->tt != nil) - timerdel(up); - up->twhen = 0; + stoptimer(); poperror(); } -- cgit v1.2.3