Skip to content

Commit

Permalink
core: fix race in mobj_reg_shm_get_by_cookie()
Browse files Browse the repository at this point in the history
Until this patch in mobj_reg_shm_get_by_cookie() there's a small window
after cpu_spin_unlock_xrestore() before the reference counter is
increased with mobj_get(). Fix that by calling mobj_get() before
unlocking reg_shm_slist_lock.

Fixes: b965149 ("core: reference count struct mobj")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
  • Loading branch information
jenswi-linaro authored and jforissier committed Nov 4, 2024
1 parent 75be62a commit 7c04952
Showing 1 changed file with 8 additions and 5 deletions.
13 changes: 8 additions & 5 deletions core/mm/mobj_dyn_shm.c
Original file line number Diff line number Diff line change
Expand Up @@ -366,14 +366,17 @@ static struct mobj_reg_shm *reg_shm_find_unlocked(uint64_t cookie)

struct mobj *mobj_reg_shm_get_by_cookie(uint64_t cookie)
{
uint32_t exceptions = cpu_spin_lock_xsave(&reg_shm_slist_lock);
struct mobj_reg_shm *r = reg_shm_find_unlocked(cookie);
struct mobj_reg_shm *r = NULL;
uint32_t exceptions = 0;
struct mobj *m = NULL;

exceptions = cpu_spin_lock_xsave(&reg_shm_slist_lock);
r = reg_shm_find_unlocked(cookie);
if (r)
m = mobj_get(&r->mobj);
cpu_spin_unlock_xrestore(&reg_shm_slist_lock, exceptions);
if (!r)
return NULL;

return mobj_get(&r->mobj);
return m;
}

TEE_Result mobj_reg_shm_release_by_cookie(uint64_t cookie)
Expand Down

0 comments on commit 7c04952

Please sign in to comment.