This patch prevent heap corruption as in below case.

TASK A TASK B malloc() mm_takesemaphore() heap holder is set to TASK B <--- preempt ... task_exit() Set to current task to TASK B Try to release tcb, and stack memory free() mm_takesemaphore() - Successfully obtain semaphore because current task and heap holder is same. Free memory.... Heap corrupt. This change forces all de-allocations via sched_kfree() and sched_ufree() to be delayed. Eliminating the immediate de-allocation prevents the above problem with the the re-entrant semaphore because the deallocation always occurs on the worker thread, never on TASK B. There could be consequences in the timing of memory availability. We will see.
2026-05-29 20:56:47 +08:00 · 2018-09-11 08:17:33 -06:00
parent c24fdb3ada
commit 91aa26774b
1 changed files with 23 additions and 43 deletions
@@ -85,8 +85,6 @@ void sched_ufree(FAR void *address)
   * must have exclusive access to the memory manager to do this.
   */
  if (up_interrupt_context() || kumm_trysemaphore() != 0)
    {
  irqstate_t flags;
  /* Yes.. Make sure that this is not a attempt to free kernel memory
@@ -108,14 +106,6 @@ void sched_ufree(FAR void *address)
  sched_signal_free();
  leave_critical_section(flags);
    }
  else
    {
      /* No.. just deallocate the memory now. */
      kumm_free(address);
      kumm_givesemaphore();
    }
 #endif
 }
@@ -129,8 +119,6 @@ void sched_kfree(FAR void *address)
   * must have exclusive access to the memory manager to do this.
   */
  if (up_interrupt_context() || kmm_trysemaphore() != 0)
    {
    /* Yes.. Make sure that this is not a attempt to free user memory
     * using the kernel deallocator.
     */
@@ -148,14 +136,6 @@ void sched_kfree(FAR void *address)
    sched_signal_free();
    leave_critical_section(flags);
 }
  else
    {
      /* No.. just deallocate the memory now. */
      kmm_free(address);
      kmm_givesemaphore();
    }
 }
 #endif
 /****************************************************************************