From d468ff3eeba770f9cf2a109e94e3e63076fa9d38 Mon Sep 17 00:00:00 2001 From: chao an Date: Mon, 11 Mar 2024 10:36:20 +0800 Subject: [PATCH] sched/group: set clear flag if the group is not really needed The delete flag is not synchronized with the life cycle of the group, if the flag set before waitpid(), the tcb will be mistakenly deleted by group_del_waiter(), use-after-free will happen. Regression by: | commit 29e50ffa7374fa4c473d8d4f8cb3506665443d3e (origin/master, origin/HEAD) | Author: chao an | Date: Mon Mar 4 09:19:27 2024 +0800 | | sched/group: move task group into task_tcb_s to improve performance | | move task group into task_tcb_s to avoid access allocator to improve performance | | for Task Termination, the time consumption will be reduced ~2us (Tricore TC397 300MHZ): | 15.97(us) -> 13.55(us) | | Signed-off-by: chao an Signed-off-by: chao an --- sched/group/group_leave.c | 8 ++++---- sched/sched/sched_releasetcb.c | 4 ++++ 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/sched/group/group_leave.c b/sched/group/group_leave.c index b4bde70463..fe452f27c4 100644 --- a/sched/group/group_leave.c +++ b/sched/group/group_leave.c @@ -120,15 +120,15 @@ group_release(FAR struct task_group_s *group, uint8_t ttype) } #endif - /* Mark the group as deleted now */ - - group->tg_flags |= GROUP_FLAG_DELETED; - /* Then drop the group freeing the allocated memory */ #ifndef CONFIG_DISABLE_PTHREAD if (ttype == TCB_FLAG_TTYPE_PTHREAD) { + /* Mark the group as deleted now */ + + group->tg_flags |= GROUP_FLAG_DELETED; + group_drop(group); } #endif diff --git a/sched/sched/sched_releasetcb.c b/sched/sched/sched_releasetcb.c index 005ab60482..8c3d312895 100644 --- a/sched/sched/sched_releasetcb.c +++ b/sched/sched/sched_releasetcb.c @@ -176,6 +176,10 @@ int nxsched_release_tcb(FAR struct tcb_s *tcb, uint8_t ttype) #endif ) { + /* Mark the group as deleted now */ + + ttcb->group.tg_flags |= GROUP_FLAG_DELETED; + return ret; } }