summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSamuel Thibault <samuel.thibault@ens-lyon.org>2015-04-23 01:42:49 +0200
committerSamuel Thibault <samuel.thibault@ens-lyon.org>2015-04-23 01:42:49 +0200
commitbdd46d40d96c4da6f2b98d4e1b2aa04ba5f5848e (patch)
treeab5973113ef1780564b47cf443a22adbf18060e1
parentc9aae1b6dadccfe81f919a2cc1eb393b1fda9b03 (diff)
Avoid accessing ip_protected_payload without the lock.
* ipc/ipc_kmsg.c (ipc_kmsg_copyout_header): Avoid accessing dest->ip_protected_payload without the lock. * ipc/mach_msg.c (ipc/mach_msg.c): Avoid accessing dest_port->ip_protected_payload without the lock.
-rw-r--r--ipc/ipc_kmsg.c21
-rw-r--r--ipc/mach_msg.c14
2 files changed, 25 insertions, 10 deletions
diff --git a/ipc/ipc_kmsg.c b/ipc/ipc_kmsg.c
index 66643fd..c0f07dd 100644
--- a/ipc/ipc_kmsg.c
+++ b/ipc/ipc_kmsg.c
@@ -1766,6 +1766,7 @@ ipc_kmsg_copyout_header(
case MACH_MSGH_BITS(MACH_MSG_TYPE_PORT_SEND, 0): {
mach_port_t dest_name;
ipc_port_t nsrequest;
+ unsigned long payload;
/* receiving an asynchronous message */
@@ -1784,6 +1785,7 @@ ipc_kmsg_copyout_header(
dest_name = dest->ip_receiver_name;
else
dest_name = MACH_PORT_NULL;
+ payload = dest->ip_protected_payload;
if ((--dest->ip_srights == 0) &&
((nsrequest = dest->ip_nsrequest) != IP_NULL)) {
@@ -1805,8 +1807,7 @@ ipc_kmsg_copyout_header(
msg->msgh_bits = (MACH_MSGH_BITS_OTHER(mbits) |
MACH_MSGH_BITS(
0, MACH_MSG_TYPE_PROTECTED_PAYLOAD));
- msg->msgh_protected_payload =
- dest->ip_protected_payload;
+ msg->msgh_protected_payload = payload;
}
msg->msgh_remote_port = MACH_PORT_NULL;
return MACH_MSG_SUCCESS;
@@ -1820,6 +1821,7 @@ ipc_kmsg_copyout_header(
ipc_port_t reply = (ipc_port_t) msg->msgh_local_port;
mach_port_t dest_name, reply_name;
ipc_port_t nsrequest;
+ unsigned long payload;
/* receiving a request message */
@@ -1890,6 +1892,7 @@ ipc_kmsg_copyout_header(
dest_name = dest->ip_receiver_name;
else
dest_name = MACH_PORT_NULL;
+ payload = dest->ip_protected_payload;
if ((--dest->ip_srights == 0) &&
((nsrequest = dest->ip_nsrequest) != IP_NULL)) {
@@ -1912,8 +1915,7 @@ ipc_kmsg_copyout_header(
msg->msgh_bits = (MACH_MSGH_BITS_OTHER(mbits) |
MACH_MSGH_BITS(MACH_MSG_TYPE_PORT_SEND_ONCE,
MACH_MSG_TYPE_PROTECTED_PAYLOAD));
- msg->msgh_protected_payload =
- dest->ip_protected_payload;
+ msg->msgh_protected_payload = payload;
}
msg->msgh_remote_port = reply_name;
return MACH_MSG_SUCCESS;
@@ -1921,6 +1923,7 @@ ipc_kmsg_copyout_header(
case MACH_MSGH_BITS(MACH_MSG_TYPE_PORT_SEND_ONCE, 0): {
mach_port_t dest_name;
+ unsigned long payload;
/* receiving a reply message */
@@ -1934,6 +1937,8 @@ ipc_kmsg_copyout_header(
assert(dest->ip_sorights > 0);
+ payload = dest->ip_protected_payload;
+
if (dest->ip_receiver == space) {
ip_release(dest);
dest->ip_sorights--;
@@ -1955,8 +1960,7 @@ ipc_kmsg_copyout_header(
msg->msgh_bits = (MACH_MSGH_BITS_OTHER(mbits) |
MACH_MSGH_BITS(0,
MACH_MSG_TYPE_PROTECTED_PAYLOAD));
- msg->msgh_protected_payload =
- dest->ip_protected_payload;
+ msg->msgh_protected_payload = payload;
}
msg->msgh_remote_port = MACH_PORT_NULL;
return MACH_MSG_SUCCESS;
@@ -1973,6 +1977,7 @@ ipc_kmsg_copyout_header(
mach_msg_type_name_t reply_type = MACH_MSGH_BITS_LOCAL(mbits);
ipc_port_t reply = (ipc_port_t) msg->msgh_local_port;
mach_port_t dest_name, reply_name;
+ unsigned long payload;
if (IP_VALID(reply)) {
ipc_port_t notify_port;
@@ -2219,6 +2224,7 @@ ipc_kmsg_copyout_header(
*/
copyout_dest:
+ payload = dest->ip_protected_payload;
if (ip_active(dest)) {
ipc_object_copyout_dest(space, (ipc_object_t) dest,
@@ -2255,8 +2261,9 @@ ipc_kmsg_copyout_header(
msg->msgh_bits = (MACH_MSGH_BITS_OTHER(mbits) |
MACH_MSGH_BITS(reply_type,
MACH_MSG_TYPE_PROTECTED_PAYLOAD));
- msg->msgh_protected_payload = dest->ip_protected_payload;
+ msg->msgh_protected_payload = payload;
}
+
msg->msgh_remote_port = reply_name;
}
diff --git a/ipc/mach_msg.c b/ipc/mach_msg.c
index 1e122c7..aecfcd4 100644
--- a/ipc/mach_msg.c
+++ b/ipc/mach_msg.c
@@ -1041,6 +1041,7 @@ mach_msg_trap(
ipc_port_t reply_port =
(ipc_port_t) kmsg->ikm_header.msgh_local_port;
mach_port_t dest_name, reply_name;
+ unsigned long payload;
/* receiving a request message */
@@ -1115,6 +1116,7 @@ mach_msg_trap(
dest_name = dest_port->ip_receiver_name;
else
dest_name = MACH_PORT_NULL;
+ payload = dest_port->ip_protected_payload;
if ((--dest_port->ip_srights == 0) &&
(dest_port->ip_nsrequest != IP_NULL)) {
@@ -1142,7 +1144,7 @@ mach_msg_trap(
MACH_MSG_TYPE_PORT_SEND_ONCE,
MACH_MSG_TYPE_PROTECTED_PAYLOAD);
kmsg->ikm_header.msgh_protected_payload =
- dest_port->ip_protected_payload;
+ payload;
}
kmsg->ikm_header.msgh_remote_port = reply_name;
goto fast_put;
@@ -1155,6 +1157,7 @@ mach_msg_trap(
case MACH_MSGH_BITS(MACH_MSG_TYPE_PORT_SEND_ONCE, 0): {
mach_port_t dest_name;
+ unsigned long payload;
/* receiving a reply message */
@@ -1166,6 +1169,8 @@ mach_msg_trap(
assert(dest_port->ip_sorights > 0);
+ payload = dest_port->ip_protected_payload;
+
if (dest_port->ip_receiver == space) {
ip_release(dest_port);
dest_port->ip_sorights--;
@@ -1188,7 +1193,7 @@ mach_msg_trap(
0,
MACH_MSG_TYPE_PROTECTED_PAYLOAD);
kmsg->ikm_header.msgh_protected_payload =
- dest_port->ip_protected_payload;
+ payload;
}
kmsg->ikm_header.msgh_remote_port = MACH_PORT_NULL;
goto fast_put;
@@ -1197,6 +1202,7 @@ mach_msg_trap(
case MACH_MSGH_BITS_COMPLEX|
MACH_MSGH_BITS(MACH_MSG_TYPE_PORT_SEND_ONCE, 0): {
mach_port_t dest_name;
+ unsigned long payload;
/* receiving a complex reply message */
@@ -1208,6 +1214,8 @@ mach_msg_trap(
assert(dest_port->ip_sorights > 0);
+ payload = dest_port->ip_protected_payload;
+
if (dest_port->ip_receiver == space) {
ip_release(dest_port);
dest_port->ip_sorights--;
@@ -1234,7 +1242,7 @@ mach_msg_trap(
0,
MACH_MSG_TYPE_PROTECTED_PAYLOAD);
kmsg->ikm_header.msgh_protected_payload =
- dest_port->ip_protected_payload;
+ payload;
}
kmsg->ikm_header.msgh_remote_port = MACH_PORT_NULL;