This is an automated email from the ASF dual-hosted git repository.
xiaoxiang pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/nuttx.git
commit 415fe606950bb8856dacf7e005f5684979c0da2b
Author: ligd <liguidi...@xiaomi.com>
AuthorDate: Mon Aug 28 22:06:04 2023 +0800
signal: use work_cancel_sync() to fix used after free
bug:
user thread: hpwork:
timer_create() with SIGEV_THREAD
timer_settime()
irq -> work_queue() add nxsig_notification_worker to Q
timer_delete()
nxsig_cancel_notification()
call nxsig_notification_worker()
work_cancel()
timer_free()
nxsig_notification_worker() used
after free
root cause:
work_cancel() can't cancel work completely, the worker may alreay be
running.
resolve:
use work_cancel_sync() API to cancel the work completely
Signed-off-by: ligd <liguidi...@xiaomi.com>
---
sched/signal/sig_notification.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sched/signal/sig_notification.c b/sched/signal/sig_notification.c
index 6313fa0d23..3f7acfc739 100644
--- a/sched/signal/sig_notification.c
+++ b/sched/signal/sig_notification.c
@@ -175,6 +175,6 @@ int nxsig_notification(pid_t pid, FAR struct sigevent
*event,
#ifdef CONFIG_SIG_EVTHREAD
void nxsig_cancel_notification(FAR struct sigwork_s *work)
{
- work_cancel(SIG_EVTHREAD_WORK, &work->work);
+ work_cancel_sync(SIG_EVTHREAD_WORK, &work->work);
}
#endif
