Commit d6af41b3 authored by Philippe Gerum's avatar Philippe Gerum Committed by Jan Kiszka

cobalt/registry: prevent use-after-free triggered by object removal

Since the vfile export and unexport operations are asynchronous,
returning from xnregistry_remove() is no guarantee that the registered
object won't be further accessed, especially by the vfile export

Plug this race at least for all in-band callers removing objects while
running on root stage like RTIPC protocols by synchronizing with the
workqueue which handles deferred export/unexport requests, before
returning from xnregistry_remove().

This does not cover the issue of removing objects from the head
stage. Fortunately, all users of the vfile export/unexport mechanism
are unregistering objects from the root stage only (typically some
RTDM close() handler).

This issue was reported by KASAN.
Signed-off-by: Philippe Gerum's avatarPhilippe Gerum <>
Signed-off-by: Jan Kiszka's avatarJan Kiszka <>
parent 997b8e18
......@@ -850,8 +850,12 @@ int xnregistry_remove(xnhandle_t handle)
* Leave the update of the object queues to
* the work callback if it has been kicked.
if (object->pnode)
goto unlock_and_exit;
if (object->pnode) {
xnlock_put_irqrestore(&nklock, s);
if (ipipe_root_p)
return 0;
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment