From 9955295c5910f716b14099f0329df0975898a512 Mon Sep 17 00:00:00 2001 From: Jukka Laitinen Date: Wed, 21 Feb 2024 10:03:07 +0200 Subject: [PATCH] platforms/common/uORB/uORBManager.cpp: Fix a race condition in uORB callback unregistration In protected modes, the callback needs to be removed from the processes list of callbacks before unregistering it from the device node. Otherwise there is a risk for callback thread trying to access a callback which was already removed from the publishing node's list. Signed-off-by: Jukka Laitinen --- platforms/common/uORB/uORBManager.cpp | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/platforms/common/uORB/uORBManager.cpp b/platforms/common/uORB/uORBManager.cpp index 05e6319d0523..291d84271d7d 100644 --- a/platforms/common/uORB/uORBManager.cpp +++ b/platforms/common/uORB/uORBManager.cpp @@ -588,6 +588,11 @@ uORB::Manager::unregisterCallback(orb_advert_t &node_handle, SubscriptionCallbac #ifndef CONFIG_BUILD_FLAT lock_cb_list(); + // Remove the callback from the list. This must be done before unregistering from the device node + // otherwise the callback thread might try to call an already unregistered cb + + per_process_cb_list.remove(callback_sub); + // Unregister the callback from the device node and retrieve amount of unhandled callback triggers // The unregister from the node needs to be done callback_thread locked; otherwise we don't know // if there are unhandled triggers left or not (due to a race between the callback thread and @@ -598,10 +603,6 @@ uORB::Manager::unregisterCallback(orb_advert_t &node_handle, SubscriptionCallbac callback_count += DeviceNode::unregister_callback(node_handle, cb_handle); - // Remove the callback from the list - - per_process_cb_list.remove(callback_sub); - unlock_cb_list(); #else DeviceNode::unregister_callback(node_handle, cb_handle);