From 248c1cf7dce15b358f857c8fce009cb33559ff78 Mon Sep 17 00:00:00 2001
From: whitequark <whitequark@whitequark.org>
Date: Mon, 12 Nov 2018 15:39:55 +0000
Subject: [PATCH] firmware: fix another TOCTTOU race in sync/async RPC code.

---
 artiq/firmware/ksupport/lib.rs                | 13 +++++++++++++
 artiq/firmware/libproto_artiq/kernel_proto.rs |  1 +
 artiq/firmware/runtime/session.rs             |  8 +++++++-
 3 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/artiq/firmware/ksupport/lib.rs b/artiq/firmware/ksupport/lib.rs
index 8d481f7b5..d176f5551 100644
--- a/artiq/firmware/ksupport/lib.rs
+++ b/artiq/firmware/ksupport/lib.rs
@@ -518,6 +518,19 @@ pub unsafe fn main() {
         attribute_writeback(typeinfo as *const ());
     }
 
+    // Make sure all async RPCs are processed before exiting.
+    // Otherwise, if the comms and kernel CPU run in the following sequence:
+    //
+    //    comms                     kernel
+    //    -----------------------   -----------------------
+    //    check for async RPC
+    //                              post async RPC
+    //                              post RunFinished
+    //    check for mailbox
+    //
+    // the async RPC would be missed.
+    send(&RpcFlush);
+
     send(&RunFinished);
 
     loop {}
diff --git a/artiq/firmware/libproto_artiq/kernel_proto.rs b/artiq/firmware/libproto_artiq/kernel_proto.rs
index ae794ec34..1dd60e77f 100644
--- a/artiq/firmware/libproto_artiq/kernel_proto.rs
+++ b/artiq/firmware/libproto_artiq/kernel_proto.rs
@@ -73,6 +73,7 @@ pub enum Message<'a> {
     },
     RpcRecvRequest(*mut ()),
     RpcRecvReply(Result<usize, Exception<'a>>),
+    RpcFlush,
 
     CacheGetRequest { key: &'a str },
     CacheGetReply   { value: &'static [i32] },
diff --git a/artiq/firmware/runtime/session.rs b/artiq/firmware/runtime/session.rs
index 28dbcadef..f95febc4a 100644
--- a/artiq/firmware/runtime/session.rs
+++ b/artiq/firmware/runtime/session.rs
@@ -417,7 +417,13 @@ fn process_kern_message(io: &Io, mut stream: Option<&mut TcpStream>,
                         kern_acknowledge()
                     }
                 }
-            }
+            },
+            &kern::RpcFlush => {
+                // See ksupport/lib.rs for the reason this request exists.
+                // We do not need to do anything here because of how the main loop is
+                // structured.
+                kern_acknowledge()
+            },
 
             &kern::CacheGetRequest { key } => {
                 let value = session.congress.cache.get(key);