From 68aad3e4822921d4d2cdaf60fed76ccf3e3e7bf7 Mon Sep 17 00:00:00 2001 From: whitequark Date: Mon, 12 Nov 2018 15:28:27 +0000 Subject: [PATCH] firmware: fix TOCTTOU race in sync/async RPC code. Before this commit, the main loop in session code was laid like: 1. process_kern_queued_rpc 2. process_host_message 3. process_kern_message If a host message (such as an RPC reply) caused the kernel to exit, then any async RPCs would not complete, since RunFinished immediately shuts down the kernel. Fix this by reordering 1 and 2. --- artiq/firmware/runtime/session.rs | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/artiq/firmware/runtime/session.rs b/artiq/firmware/runtime/session.rs index d9812861b..28dbcadef 100644 --- a/artiq/firmware/runtime/session.rs +++ b/artiq/firmware/runtime/session.rs @@ -497,16 +497,16 @@ fn host_kernel_worker(io: &Io, let mut session = Session::new(congress); loop { - while !rpc_queue::empty() { - process_kern_queued_rpc(stream, &mut session)? - } - if stream.can_recv() { process_host_message(io, stream, &mut session)? } else if !stream.may_recv() { return Ok(()) } + while !rpc_queue::empty() { + process_kern_queued_rpc(stream, &mut session)? + } + if mailbox::receive() != 0 { process_kern_message(io, Some(stream), &mut session)?; }