util: fix unsoundness when dropping ThreadModeMutex outside thread mode.

Fixes #283
author: Dario Nieuwenhuis <[email protected]> 2021-08-05 22:20:16 +0200
committer: Dario Nieuwenhuis <[email protected]> 2021-08-05 22:20:45 +0200
commit: aaa0d1419cca754add76950ac9bae8a3dd526964 (patch)
tree: bf10936b0b92eacb7a125db3f5b739f1d47c0d91
parent: 8a65128cfed335e637ee80c91b1efc7b3c58ba10 (diff)
1 files changed, 15 insertions, 2 deletions
diff --git a/embassy/src/util/mutex.rs b/embassy/src/util/mutex.rs
index 0506ffe6f..9a00a409e 100644
--- a/embassy/src/util/mutex.rs
+++ b/embassy/src/util/mutex.rs
@@ -82,9 +82,7 @@ impl<T> ThreadModeMutex<T> {
            inner: UnsafeCell::new(value),
        }
    }
-}
-impl<T> ThreadModeMutex<T> {
    /// Borrows the data
    pub fn borrow(&self) -> &T {
        assert!(
@@ -107,6 +105,21 @@ impl<T> Mutex for ThreadModeMutex<T> {
    }
 }
+impl<T> Drop for ThreadModeMutex<T> {
+    fn drop(&mut self) {
+        // Only allow dropping from thread mode. Dropping calls drop on the inner `T`, so
+        // `drop` needs the same guarantees as `lock`. `ThreadModeMutex<T>` is Send even if
+        // T isn't, so without this check a user could create a ThreadModeMutex in thread mode,
+        // send it to interrupt context and drop it there, which would "send" a T even if T is not Send.
+        assert!(
+            in_thread_mode(),
+            "ThreadModeMutex can only be dropped from thread mode."
+        );
+        // Drop of the inner `T` happens after this.
+    }
+}
 pub fn in_thread_mode() -> bool {
    #[cfg(feature = "std")]
    return Some("main") == std::thread::current().name();
author	Dario Nieuwenhuis <[email protected]>	2021-08-05 22:20:16 +0200
committer	Dario Nieuwenhuis <[email protected]>	2021-08-05 22:20:45 +0200
commit	aaa0d1419cca754add76950ac9bae8a3dd526964 (patch)
tree	bf10936b0b92eacb7a125db3f5b739f1d47c0d91
parent	8a65128cfed335e637ee80c91b1efc7b3c58ba10 (diff)