[hrtimer] fixup use-after-free (#8928)

polarvid · web-flow · commit 989cc61f4848 · 2024-05-11T08:53:42.000+08:00
Signed-off-by: Shell &lt;smokewood@qq.com&gt;
diff --git a/components/drivers/ipc/completion_mp.c b/components/drivers/ipc/completion_mp.c
@@ -326,11 +326,11 @@ rt_err_t rt_completion_wakeup_by_errno(struct rt_completion *completion,
                     }
 
                     /* safe to assume publication done even on resume failure */
-                    rt_thread_resume(suspend_thread);
                     RT_ASSERT(rt_atomic_load(&completion->susp_thread_n_flag) ==
                               RT_WAKING);
                     IPC_STORE(&completion->susp_thread_n_flag, RT_UNCOMPLETED,
                               memory_order_release);
+                    rt_thread_resume(suspend_thread);
                     error = RT_EOK;
                     break;
                 }
diff --git a/components/drivers/ktime/src/hrtimer.c b/components/drivers/ktime/src/hrtimer.c
@@ -111,32 +111,29 @@ static void _sleep_timeout(void *parameter)
     rt_completion_done(&timer->completion);
 }
 
-static void _set_next_timeout(void);
+static void _set_next_timeout_n_unlock(rt_base_t level);
 static void _timeout_callback(void *parameter)
 {
     rt_ktime_hrtimer_t timer;
     timer = (rt_ktime_hrtimer_t)parameter;
     rt_base_t level;
 
+    level     = rt_spin_lock_irqsave(&_spinlock);
+    _nowtimer = RT_NULL;
+    rt_list_remove(&(timer->row));
+
     if (timer->parent.flag & RT_TIMER_FLAG_ACTIVATED)
     {
         timer->timeout_func(timer->parameter);
     }
 
-    level     = rt_spin_lock_irqsave(&_spinlock);
-    _nowtimer = RT_NULL;
-    rt_list_remove(&(timer->row));
-    rt_spin_unlock_irqrestore(&_spinlock, level);
-
-    _set_next_timeout();
+    _set_next_timeout_n_unlock(level);
 }
 
-static void _set_next_timeout(void)
+static void _set_next_timeout_n_unlock(rt_base_t level)
 {
     rt_ktime_hrtimer_t t;
-    rt_base_t          level;
 
-    level = rt_spin_lock_irqsave(&_spinlock);
     if (&_timer_list != _timer_list.prev)
     {
         t = rt_list_entry((&_timer_list)->next, struct rt_ktime_hrtimer, row);
@@ -202,9 +199,6 @@ rt_err_t rt_ktime_hrtimer_start(rt_ktime_hrtimer_t timer)
     /* parameter check */
     RT_ASSERT(timer != RT_NULL);
 
-    /* notify the timer stop event */
-    rt_completion_wakeup_by_errno(&timer->completion, RT_ERROR);
-
     level = rt_spin_lock_irqsave(&_spinlock);
     rt_list_remove(&timer->row); /* remove timer from list */
     /* change status of timer */
@@ -228,9 +222,8 @@ rt_err_t rt_ktime_hrtimer_start(rt_ktime_hrtimer_t timer)
     }
     rt_list_insert_after(timer_list, &(timer->row));
     timer->parent.flag |= RT_TIMER_FLAG_ACTIVATED;
-    rt_spin_unlock_irqrestore(&_spinlock, level);
 
-    _set_next_timeout();
+    _set_next_timeout_n_unlock(level);
 
     return RT_EOK;
 }
@@ -250,9 +243,8 @@ rt_err_t rt_ktime_hrtimer_stop(rt_ktime_hrtimer_t timer)
     _nowtimer = RT_NULL;
     rt_list_remove(&timer->row);
     timer->parent.flag &= ~RT_TIMER_FLAG_ACTIVATED; /* change status */
-    rt_spin_unlock_irqrestore(&_spinlock, level);
 
-    _set_next_timeout();
+    _set_next_timeout_n_unlock(level);
 
     return RT_EOK;
 }
@@ -344,8 +336,7 @@ rt_err_t rt_ktime_hrtimer_detach(rt_ktime_hrtimer_t timer)
     {
         _nowtimer = RT_NULL;
         rt_list_remove(&timer->row);
-        rt_spin_unlock_irqrestore(&_spinlock, level);
-        _set_next_timeout();
+        _set_next_timeout_n_unlock(level);
     }
     else
     {
diff --git a/src/cpu_mp.c b/src/cpu_mp.c
@@ -219,6 +219,7 @@ RTM_EXPORT(rt_cpus_lock_status_restore);
 
 /* A safe API with debugging feature to be called in most codes */
 
+#undef rt_cpu_get_id
 /**
  * @brief Get logical CPU ID
  *

Original file line number	Diff line number	Diff line change
`@@ -326,11 +326,11 @@ rt_err_t rt_completion_wakeup_by_errno(struct rt_completion *completion,`
`326`	`326`	`}`
`327`	`327`
`328`	`328`	`/* safe to assume publication done even on resume failure */`
`329`		`- rt_thread_resume(suspend_thread);`
`330`	`329`	`RT_ASSERT(rt_atomic_load(&completion->susp_thread_n_flag) ==`
`331`	`330`	`RT_WAKING);`
`332`	`331`	`IPC_STORE(&completion->susp_thread_n_flag, RT_UNCOMPLETED,`
`333`	`332`	`memory_order_release);`
	`333`	`+ rt_thread_resume(suspend_thread);`
`334`	`334`	`error = RT_EOK;`
`335`	`335`	`break;`
`336`	`336`	`}`
Original file line number	Diff line number	Diff line change
`@@ -111,32 +111,29 @@ static void _sleep_timeout(void *parameter)`
`111`	`111`	`rt_completion_done(&timer->completion);`
`112`	`112`	`}`
`113`	`113`
`114`		`-static void _set_next_timeout(void);`
	`114`	`+static void _set_next_timeout_n_unlock(rt_base_t level);`
`115`	`115`	`static void _timeout_callback(void *parameter)`
`116`	`116`	`{`
`117`	`117`	`rt_ktime_hrtimer_t timer;`
`118`	`118`	`timer = (rt_ktime_hrtimer_t)parameter;`
`119`	`119`	`rt_base_t level;`
`120`	`120`
	`121`	`+ level = rt_spin_lock_irqsave(&_spinlock);`
	`122`	`+ _nowtimer = RT_NULL;`
	`123`	`+ rt_list_remove(&(timer->row));`
	`124`	`+`
`121`	`125`	`if (timer->parent.flag & RT_TIMER_FLAG_ACTIVATED)`
`122`	`126`	`{`
`123`	`127`	`timer->timeout_func(timer->parameter);`
`124`	`128`	`}`
`125`	`129`
`126`		`- level = rt_spin_lock_irqsave(&_spinlock);`
`127`		`- _nowtimer = RT_NULL;`
`128`		`- rt_list_remove(&(timer->row));`
`129`		`- rt_spin_unlock_irqrestore(&_spinlock, level);`
`130`		`-`
`131`		`- _set_next_timeout();`
	`130`	`+ _set_next_timeout_n_unlock(level);`
`132`	`131`	`}`
`133`	`132`
`134`		`-static void _set_next_timeout(void)`
	`133`	`+static void _set_next_timeout_n_unlock(rt_base_t level)`
`135`	`134`	`{`
`136`	`135`	`rt_ktime_hrtimer_t t;`
`137`		`- rt_base_t level;`
`138`	`136`
`139`		`- level = rt_spin_lock_irqsave(&_spinlock);`
`140`	`137`	`if (&_timer_list != _timer_list.prev)`
`141`	`138`	`{`
`142`	`139`	`t = rt_list_entry((&_timer_list)->next, struct rt_ktime_hrtimer, row);`
`@@ -202,9 +199,6 @@ rt_err_t rt_ktime_hrtimer_start(rt_ktime_hrtimer_t timer)`
`202`	`199`	`/* parameter check */`
`203`	`200`	`RT_ASSERT(timer != RT_NULL);`
`204`	`201`
`205`		`- /* notify the timer stop event */`
`206`		`- rt_completion_wakeup_by_errno(&timer->completion, RT_ERROR);`
`207`		`-`
`208`	`202`	`level = rt_spin_lock_irqsave(&_spinlock);`
`209`	`203`	`rt_list_remove(&timer->row); /* remove timer from list */`
`210`	`204`	`/* change status of timer */`
`@@ -228,9 +222,8 @@ rt_err_t rt_ktime_hrtimer_start(rt_ktime_hrtimer_t timer)`
`228`	`222`	`}`
`229`	`223`	`rt_list_insert_after(timer_list, &(timer->row));`
`230`	`224`	`timer->parent.flag \|= RT_TIMER_FLAG_ACTIVATED;`
`231`		`- rt_spin_unlock_irqrestore(&_spinlock, level);`
`232`	`225`
`233`		`- _set_next_timeout();`
	`226`	`+ _set_next_timeout_n_unlock(level);`
`234`	`227`
`235`	`228`	`return RT_EOK;`
`236`	`229`	`}`
`@@ -250,9 +243,8 @@ rt_err_t rt_ktime_hrtimer_stop(rt_ktime_hrtimer_t timer)`
`250`	`243`	`_nowtimer = RT_NULL;`
`251`	`244`	`rt_list_remove(&timer->row);`
`252`	`245`	`timer->parent.flag &= ~RT_TIMER_FLAG_ACTIVATED; /* change status */`
`253`		`- rt_spin_unlock_irqrestore(&_spinlock, level);`
`254`	`246`
`255`		`- _set_next_timeout();`
	`247`	`+ _set_next_timeout_n_unlock(level);`
`256`	`248`
`257`	`249`	`return RT_EOK;`
`258`	`250`	`}`
`@@ -344,8 +336,7 @@ rt_err_t rt_ktime_hrtimer_detach(rt_ktime_hrtimer_t timer)`
`344`	`336`	`{`
`345`	`337`	`_nowtimer = RT_NULL;`
`346`	`338`	`rt_list_remove(&timer->row);`
`347`		`- rt_spin_unlock_irqrestore(&_spinlock, level);`
`348`		`- _set_next_timeout();`
	`339`	`+ _set_next_timeout_n_unlock(level);`
`349`	`340`	`}`
`350`	`341`	`else`
`351`	`342`	`{`
Original file line number	Diff line number	Diff line change
`@@ -219,6 +219,7 @@ RTM_EXPORT(rt_cpus_lock_status_restore);`
`219`	`219`
`220`	`220`	`/* A safe API with debugging feature to be called in most codes */`
`221`	`221`
	`222`	`+#undef rt_cpu_get_id`
`222`	`223`	`/**`
`223`	`224`	`* @brief Get logical CPU ID`
`224`	`225`	`*`