kernel: queue: k_queue_poll: Fix slist access race condition All sys_slist_*() functions aren't threadsafe and calls to them must be protected with irq_lock. This is usually done in a wider caller context, but k_queue_poll() is called with irq_lock already relinquished, and is thus subject to hard to detect and explain race conditions, as e.g. was tracked in #4022. Signed-off-by: Paul Sokolovsky <paul.sokolovsky@linaro.org>

commit: 199d07e655a80699a9b3b961f5ad85d470a9ca21 [log] [tgz]
author: Paul Sokolovsky <paul.sokolovsky@linaro.org> Mon Oct 16 13:36:37 2017 +0300
committer: Carles Cufí <carles.cufi@nordicsemi.no> Tue Oct 17 10:37:47 2017 +0200
tree: f5a4df30cc098a19ffa377a03f84a785afa23deb
parent: 22d02db46e3a1e5e53279f4126d163ccd1c6453d [diff]
diff --git a/kernel/queue.c b/kernel/queue.c
index c590d44..dcf7132 100644
--- a/kernel/queue.c
+++ b/kernel/queue.c

@@ -199,6 +199,8 @@
 {
 	struct k_poll_event event;
 	int err;
+	unsigned int key;
+	void *val;
 
 	k_poll_event_init(&event, K_POLL_TYPE_FIFO_DATA_AVAILABLE,
 			  K_POLL_MODE_NOTIFY_ONLY, queue);
@@ -212,7 +214,13 @@
 
 	__ASSERT_NO_MSG(event.state == K_POLL_STATE_FIFO_DATA_AVAILABLE);
 
-	return sys_slist_get(&queue->data_q);
+	/* sys_slist_* aren't threadsafe, so must be always protected by
+	 * irq_lock.
+	 */
+	key = irq_lock();
+	val = sys_slist_get(&queue->data_q);
+	irq_unlock(key);
+	return val;
 }
 #endif /* CONFIG_POLL */
commit	199d07e655a80699a9b3b961f5ad85d470a9ca21	[log] [tgz]
author	Paul Sokolovsky <paul.sokolovsky@linaro.org>	Mon Oct 16 13:36:37 2017 +0300
committer	Carles Cufí <carles.cufi@nordicsemi.no>	Tue Oct 17 10:37:47 2017 +0200
tree	f5a4df30cc098a19ffa377a03f84a785afa23deb
parent	22d02db46e3a1e5e53279f4126d163ccd1c6453d [diff]