Merge pull request #347 from embassy-rs/tmm-fix-ub

util: fix unsoundness when dropping ThreadModeMutex outside thread mode.
2021-08-05 22:30:49 +02:00 · 2021-08-05 22:30:49 +02:00 · 446ee9c2c5
commit 446ee9c2c5
parent 8a65128cfe aaa0d1419c
1 changed files with 15 additions and 2 deletions
--- a/embassy/src/util/mutex.rs
+++ b/embassy/src/util/mutex.rs
@ -82,9 +82,7 @@ impl<T> ThreadModeMutex<T> {
            inner: UnsafeCell::new(value),
        }
    }
-}

-impl<T> ThreadModeMutex<T> {
    /// Borrows the data
    pub fn borrow(&self) -> &T {
        assert!(
@ -107,6 +105,21 @@ impl<T> Mutex for ThreadModeMutex<T> {
    }
 }

+impl<T> Drop for ThreadModeMutex<T> {
+    fn drop(&mut self) {
+        // Only allow dropping from thread mode. Dropping calls drop on the inner `T`, so
+        // `drop` needs the same guarantees as `lock`. `ThreadModeMutex<T>` is Send even if
+        // T isn't, so without this check a user could create a ThreadModeMutex in thread mode,
+        // send it to interrupt context and drop it there, which would "send" a T even if T is not Send.
+        assert!(
+            in_thread_mode(),
+            "ThreadModeMutex can only be dropped from thread mode."
+        );
+
+        // Drop of the inner `T` happens after this.
+    }
+}
+
 pub fn in_thread_mode() -> bool {
    #[cfg(feature = "std")]
    return Some("main") == std::thread::current().name();