rt domain: avoid use-after-free and re-init-while-in-use bugs

Don't just blindly overwrite the timers if they could
be still in use. The the use-after-free bug was observed
under Qemu.

2 files changed, 34 insertions, 19 deletions

diff --git a/litmus/litmus.c b/litmus/litmus.c
index 60e7507ba0..b286f8f013 100644
--- a/litmus/litmus.c
+++ b/litmus/litmus.c
@@ -36,7 +36,7 @@ static LIST_HEAD(sched_sig_list);
 static DEFINE_SPINLOCK(sched_sig_list_lock);
 
 static struct kmem_cache * heap_node_cache;
-static struct kmem_cache * release_heap_cache;
+extern struct kmem_cache * release_heap_cache;
 
 struct heap_node* heap_node_alloc(int gfp_flags)
 {
@@ -48,15 +48,8 @@ void heap_node_free(struct heap_node* hn)
         kmem_cache_free(heap_node_cache, hn);
 }
 
-struct release_heap* release_heap_alloc(int gfp_flags)
-{
-        return kmem_cache_alloc(release_heap_cache, gfp_flags);
-}
-
-void release_heap_free(struct release_heap* rh)
-{
-        kmem_cache_free(release_heap_cache, rh);
-}
+struct release_heap* release_heap_alloc(int gfp_flags);
+void release_heap_free(struct release_heap* rh);
 
 /*
  * sys_set_task_rt_param
@@ -578,8 +571,8 @@ long litmus_admit_task(struct task_struct* tsk)
                 retval = -ENOMEM;
                 heap_node_free(tsk_rt(tsk)->heap_node);
                 release_heap_free(tsk_rt(tsk)->rel_heap);
-        } else 
-                heap_node_init(&tsk_rt(tsk)->heap_node, tsk);   
+        } else
+                heap_node_init(&tsk_rt(tsk)->heap_node, tsk);
 
         if (!retval)
                 retval = litmus->admit_task(tsk);
diff --git a/litmus/rt_domain.c b/litmus/rt_domain.c
index e02ec03ca1..0357df5f93 100644
--- a/litmus/rt_domain.c
+++ b/litmus/rt_domain.c
@@ -9,6 +9,7 @@
 #include <linux/percpu.h>
 #include <linux/sched.h>
 #include <linux/list.h>
+#include <linux/slab.h>
 
 #include <litmus/litmus.h>
 #include <litmus/sched_plugin.h>
@@ -57,12 +58,39 @@ static enum hrtimer_restart on_release_timer(struct hrtimer *timer)
 
         /* call release callback */
         rh->dom->release_jobs(rh->dom, &rh->heap);
+        /* WARNING: rh can be referenced from other CPUs from now on. */
 
         TS_RELEASE_END;
 
         return  HRTIMER_NORESTART;
 }
 
+/* allocated in litmus.c */
+struct kmem_cache * release_heap_cache;
+
+struct release_heap* release_heap_alloc(int gfp_flags)
+{
+        struct release_heap* rh;
+        rh= kmem_cache_alloc(release_heap_cache, gfp_flags);
+        if (rh) {
+                /* FIXME: could be a ctor */
+                /* initialize timer */
+                hrtimer_init(&rh->timer, CLOCK_MONOTONIC, HRTIMER_MODE_ABS);
+                rh->timer.function = on_release_timer;
+#ifdef CONFIG_HIGH_RES_TIMERS
+                rh->timer.cb_mode = HRTIMER_CB_IRQSAFE_NO_RESTART;
+#endif
+        }
+        return rh;
+}
+
+void release_heap_free(struct release_heap* rh)
+{
+        /* make sure timer is no longer in use */
+        hrtimer_cancel(&rh->timer);
+        kmem_cache_free(release_heap_cache, rh);
+}
+
 /* Caller most hold release lock.
  * Will return heap for given time. If no such heap exists prior to the invocation
  * it will be created.
@@ -101,14 +129,8 @@ static struct release_heap* get_release_heap(rt_domain_t *rt, struct task_struct
                 rh->dom = rt;
                 heap_init(&rh->heap);
 
-                /* initialize timer */
-                hrtimer_init(&rh->timer, CLOCK_MONOTONIC, HRTIMER_MODE_ABS);
-                rh->timer.function = on_release_timer;
-#ifdef CONFIG_HIGH_RES_TIMERS
-                rh->timer.cb_mode = HRTIMER_CB_IRQSAFE;
-#endif
-
                 atomic_set(&rh->info.state, HRTIMER_START_ON_INACTIVE);
+
                 /* add to release queue */
                 list_add(&rh->list, pos->prev);
                 heap = rh;