Context Navigation

conctmeto.c@ bde48fa

Visit:

lfn serial ticket/834-toolchain-update topic/msim-upgrade topic/simplify-dev-export

Last change on this file since bde48fa was bde48fa, checked in by Jakub Jermar <jakub@…>, 8 years ago

Fix race condition

The capability created by phone_alloc() may get destroyed before
kobject_get(), so we must test kobject_get() return value.

Property mode set to 100644

File size: 3.7 KB

Rev	Line
[f0defd2]	1	/*
[e8039a86]	2	* Copyright (c) 2006 Ondrej Palkovsky
[48bcf49]	3	* Copyright (c) 2012 Jakub Jermar
[f0defd2]	4	* All rights reserved.
	5	*
	6	* Redistribution and use in source and binary forms, with or without
	7	* modification, are permitted provided that the following conditions
	8	* are met:
	9	*
	10	* - Redistributions of source code must retain the above copyright
	11	* notice, this list of conditions and the following disclaimer.
	12	* - Redistributions in binary form must reproduce the above copyright
	13	* notice, this list of conditions and the following disclaimer in the
	14	* documentation and/or other materials provided with the distribution.
	15	* - The name of the author may not be used to endorse or promote products
	16	* derived from this software without specific prior written permission.
	17	*
	18	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
	19	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
	20	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
	21	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
	22	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	23	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
	24	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
	25	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
	26	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
	27	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	28	*/
	29
	30	/** @addtogroup genericipc
	31	* @{
	32	*/
	33	/** @file
	34	*/
	35
	36	#include <ipc/sysipc_ops.h>
[e8039a86]	37	#include <ipc/ipc.h>
	38	#include <ipc/ipcrsc.h>
	39	#include <abi/errno.h>
	40	#include <arch.h>
[f0defd2]	41
[b7fd2a0]	42	static errno_t request_preprocess(call_t call, phone_t phone)
[e8039a86]	43	{
[09d01f2]	44	cap_handle_t phone_handle;
[b7fd2a0]	45	errno_t rc = phone_alloc(TASK, &phone_handle);
[e8039a86]	46
[09d01f2]	47	/* Remember the phone capability or that an error occured. */
	48	call->priv = (rc == EOK) ? phone_handle : -1;
	49
	50	if (rc != EOK) {
	51	return rc;
	52	}
[48bcf49]	53
[bde48fa]	54	/* Set ARG5 for server */
[48bcf49]	55	kobject_t *phone_obj = kobject_get(TASK, phone_handle,
	56	KOBJECT_TYPE_PHONE);
[bde48fa]	57	if (!phone_obj) {
	58	/*
	59	* Another thread of the same task can destroy the new
	60	* capability before we manage to get a reference from it.
	61	*/
	62	call->priv = -1;
	63	return ENOENT;
	64	}
[48bcf49]	65	/* Hand over phone_obj's reference to ARG5 */
	66	IPC_SET_ARG5(call->data, (sysarg_t) phone_obj->phone);
[e8039a86]	67
	68	return EOK;
	69	}
	70
[b7fd2a0]	71	static errno_t request_forget(call_t *call)
[b1e6269]	72	{
[48bcf49]	73	cap_handle_t phone_handle = (cap_handle_t) call->priv;
[09d01f2]	74
	75	if (phone_handle < 0) {
	76	return EOK;
	77	}
	78
[48bcf49]	79	phone_dealloc(phone_handle);
	80	/* Hand over reference from ARG5 to phone->kobject */
	81	phone_t phone = (phone_t ) IPC_GET_ARG5(call->data);
	82	/* Drop phone_obj's reference */
	83	kobject_put(phone->kobject);
[466e95f7]	84	return EOK;
[b1e6269]	85	}
	86
[b7fd2a0]	87	static errno_t answer_preprocess(call_t answer, ipc_data_t olddata)
[e8039a86]	88	{
[48bcf49]	89	/* Hand over reference from ARG5 to phone */
[e8039a86]	90	phone_t phone = (phone_t ) IPC_GET_ARG5(*olddata);
	91
	92	/* If the user accepted call, connect */
[48bcf49]	93	if (IPC_GET_RETVAL(answer->data) == EOK) {
	94	/* Hand over reference from phone to the answerbox */
[c33f39f]	95	(void) ipc_phone_connect(phone, &TASK->answerbox);
[48bcf49]	96	} else {
	97	kobject_put(phone->kobject);
	98	}
[e8039a86]	99
	100	return EOK;
	101	}
	102
[b7fd2a0]	103	static errno_t answer_process(call_t *answer)
[1b186ed]	104	{
[48bcf49]	105	cap_handle_t phone_handle = (cap_handle_t) answer->priv;
[022d72ff]	106
	107	if (IPC_GET_RETVAL(answer->data)) {
[48bcf49]	108	if (phone_handle >= 0) {
[022d72ff]	109	/*
	110	* The phone was indeed allocated and now needs
	111	* to be deallocated.
	112	*/
[48bcf49]	113	phone_dealloc(phone_handle);
[022d72ff]	114	}
[eab9689]	115	} else {
[48bcf49]	116	IPC_SET_ARG5(answer->data, phone_handle);
[eab9689]	117	}
[a35b458]	118
[1b186ed]	119	return EOK;
	120	}
[e8039a86]	121
	122	sysipc_ops_t ipc_m_connect_me_to_ops = {
	123	.request_preprocess = request_preprocess,
[b1e6269]	124	.request_forget = request_forget,
[f0defd2]	125	.request_process = null_request_process,
[b1e6269]	126	.answer_cleanup = null_answer_cleanup,
[e8039a86]	127	.answer_preprocess = answer_preprocess,
[1b186ed]	128	.answer_process = answer_process,
[f0defd2]	129	};
	130
	131	/** @}
	132	*/

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: mainline/kernel/generic/src/ipc/ops/conctmeto.c@ bde48fa

Download in other formats: