[hrtimer] fixup use-after-free (#8928)

Signed-off-by: Shell <smokewood@qq.com>
2025-02-28 04:27:07 +08:00 · 2024-05-11 08:53:42 +08:00 · 2024-05-11 08:53:42 +08:00 · 989cc61f48
commit 989cc61f48
parent 5dba9a4214
3 changed files with 12 additions and 20 deletions
--- a/components/drivers/ipc/completion_mp.c
+++ b/components/drivers/ipc/completion_mp.c
@ -326,11 +326,11 @@ rt_err_t rt_completion_wakeup_by_errno(struct rt_completion *completion,
                    }
                    /* safe to assume publication done even on resume failure */
                    rt_thread_resume(suspend_thread);
                    RT_ASSERT(rt_atomic_load(&completion->susp_thread_n_flag) ==
                              RT_WAKING);
                    IPC_STORE(&completion->susp_thread_n_flag, RT_UNCOMPLETED,
                              memory_order_release);
                    rt_thread_resume(suspend_thread);
                    error = RT_EOK;
                    break;
                }
--- a/components/drivers/ktime/src/hrtimer.c
+++ b/components/drivers/ktime/src/hrtimer.c
@ -111,32 +111,29 @@ static void _sleep_timeout(void *parameter)
    rt_completion_done(&timer->completion);
 }
-static void _set_next_timeout(void);
+static void _set_next_timeout_n_unlock(rt_base_t level);
 static void _timeout_callback(void *parameter)
 {
    rt_ktime_hrtimer_t timer;
    timer = (rt_ktime_hrtimer_t)parameter;
    rt_base_t level;
    level     = rt_spin_lock_irqsave(&_spinlock);
    _nowtimer = RT_NULL;
    rt_list_remove(&(timer->row));
    if (timer->parent.flag & RT_TIMER_FLAG_ACTIVATED)
    {
        timer->timeout_func(timer->parameter);
    }
-    level     = rt_spin_lock_irqsave(&_spinlock);
+    _set_next_timeout_n_unlock(level);
    _nowtimer = RT_NULL;
    rt_list_remove(&(timer->row));
    rt_spin_unlock_irqrestore(&_spinlock, level);
    _set_next_timeout();
 }
-static void _set_next_timeout(void)
+static void _set_next_timeout_n_unlock(rt_base_t level)
 {
    rt_ktime_hrtimer_t t;
    rt_base_t          level;
    level = rt_spin_lock_irqsave(&_spinlock);
    if (&_timer_list != _timer_list.prev)
    {
        t = rt_list_entry((&_timer_list)->next, struct rt_ktime_hrtimer, row);
@ -202,9 +199,6 @@ rt_err_t rt_ktime_hrtimer_start(rt_ktime_hrtimer_t timer)
    /* parameter check */
    RT_ASSERT(timer != RT_NULL);
    /* notify the timer stop event */
    rt_completion_wakeup_by_errno(&timer->completion, RT_ERROR);
    level = rt_spin_lock_irqsave(&_spinlock);
    rt_list_remove(&timer->row); /* remove timer from list */
    /* change status of timer */
@ -228,9 +222,8 @@ rt_err_t rt_ktime_hrtimer_start(rt_ktime_hrtimer_t timer)
    }
    rt_list_insert_after(timer_list, &(timer->row));
    timer->parent.flag |= RT_TIMER_FLAG_ACTIVATED;
    rt_spin_unlock_irqrestore(&_spinlock, level);
-    _set_next_timeout();
+    _set_next_timeout_n_unlock(level);
    return RT_EOK;
 }
@ -250,9 +243,8 @@ rt_err_t rt_ktime_hrtimer_stop(rt_ktime_hrtimer_t timer)
    _nowtimer = RT_NULL;
    rt_list_remove(&timer->row);
    timer->parent.flag &= ~RT_TIMER_FLAG_ACTIVATED; /* change status */
    rt_spin_unlock_irqrestore(&_spinlock, level);
-    _set_next_timeout();
+    _set_next_timeout_n_unlock(level);
    return RT_EOK;
 }
@ -344,8 +336,7 @@ rt_err_t rt_ktime_hrtimer_detach(rt_ktime_hrtimer_t timer)
    {
        _nowtimer = RT_NULL;
        rt_list_remove(&timer->row);
-        rt_spin_unlock_irqrestore(&_spinlock, level);
+        _set_next_timeout_n_unlock(level);
        _set_next_timeout();
    }
    else
    {
--- a/src/cpu_mp.c
+++ b/src/cpu_mp.c
@ -219,6 +219,7 @@ RTM_EXPORT(rt_cpus_lock_status_restore);
 /* A safe API with debugging feature to be called in most codes */
 #undef rt_cpu_get_id
 /**
 * @brief Get logical CPU ID
 *