diff options
| author | Sebastian Huber <sebastian.huber@embedded-brains.de> | 2020-03-10 17:07:19 +0100 |
|---|---|---|
| committer | Sebastian Huber <sebastian.huber@embedded-brains.de> | 2020-03-13 09:57:04 +0100 |
| commit | c2287ba2cff59a50848151833404bce0e3cf0a70 (patch) | |
| tree | 24fbd290baf4722b2dd56df731f44b41b6765c45 /cpukit/libcsupport/src/libio.c | |
| parent | 2ff83634668c56598c9505809bb016c8697ed24e (diff) | |
libio: Robust file descriptor reference counting
There was a race conditon in the reference counting of file descriptors
during a close() operation. After the call to the close handler, the
rtems_libio_free() function cleared the flags to zero. However, at this
point in time there may still exist some holders of the file descriptor.
With RTEMS_DEBUG enabled this could lead to failed assertions in
rtems_libio_iop_drop().
Change the code to use only atomic read-modify-write operations on the
rtems_libio_iop::flags.
Diffstat (limited to 'cpukit/libcsupport/src/libio.c')
| -rw-r--r-- | cpukit/libcsupport/src/libio.c | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/cpukit/libcsupport/src/libio.c b/cpukit/libcsupport/src/libio.c index 0abb082a66..c9490c7aa5 100644 --- a/cpukit/libcsupport/src/libio.c +++ b/cpukit/libcsupport/src/libio.c @@ -134,11 +134,24 @@ void rtems_libio_free( rtems_libio_t *iop ) { + size_t zero; + rtems_filesystem_location_free( &iop->pathinfo ); rtems_libio_lock(); - iop = memset( iop, 0, sizeof( *iop ) ); + /* + * Clear everything except the reference count part. At this point in time + * there may be still some holders of this file descriptor. + */ + rtems_libio_iop_flags_clear( iop, LIBIO_FLAGS_REFERENCE_INC - 1U ); + zero = offsetof( rtems_libio_t, offset ); + memset( (char *) iop + zero, 0, sizeof( *iop ) - zero ); + + /* + * Append it to the free list. This increases the likelihood that a use + * after close is detected. + */ *rtems_libio_iop_free_tail = iop; rtems_libio_iop_free_tail = &iop->data1; |