platforms/common/uORB/uORBManager.cpp: Fix a race condition in uORB c…

…allback unregistration

In protected modes, the callback needs to be removed from the processes list of callbacks before
unregistering it from the device node. Otherwise there is a risk for callback thread trying to
access a callback which was already removed from the publishing node's list.

Signed-off-by: Jukka Laitinen <[email protected]>

platforms/common/uORB/uORBManager.cpp

@@ -588,6 +588,11 @@ uORB::Manager::unregisterCallback(orb_advert_t &node_handle, SubscriptionCallbac
 #ifndef CONFIG_BUILD_FLAT
 	lock_cb_list();
 
+	// Remove the callback from the list. This must be done before unregistering from the device node
+	// otherwise the callback thread might try to call an already unregistered cb
+
+	per_process_cb_list.remove(callback_sub);
+
 	// Unregister the callback from the device node and retrieve amount of unhandled callback triggers
 	// The unregister from the node needs to be done callback_thread locked; otherwise we don't know
 	// if there are unhandled triggers left or not (due to a race between the callback thread and
@@ -598,10 +603,6 @@ uORB::Manager::unregisterCallback(orb_advert_t &node_handle, SubscriptionCallbac
 
 	callback_count += DeviceNode::unregister_callback(node_handle, cb_handle);
 
-	// Remove the callback from the list
-
-	per_process_cb_list.remove(callback_sub);
-
 	unlock_cb_list();
 #else
 	DeviceNode::unregister_callback(node_handle, cb_handle);