[OpenWrt-Devel] [PATCH] runqueue: Fix the callbacks order in runqueue_task_kill()
John Crispin
john at phrozen.org
Mon Jul 1 09:48:47 EDT 2019
On 21/06/2019 17:38, Alban Bedel wrote:
> Since commit 11e8afea (runqueue should cal the complete handler from
> more places) the call to the complete() callback has been moved to
> runqueue_task_complete(). However in runqueue_task_kill()
> runqueue_task_complete() is called before the kill() callback.
> This will result in a use after free if the complete() callback free
> the task struct.
>
> Furthermore runqueue_start_next() is already called at the end of
> runqueue_task_complete(), so there is no need to call it again in
> runqueue_task_kill().
>
> Signed-off-by: Alban Bedel <albeu at free.fr>
> ---
> runqueue.c | 4 +---
> 1 file changed, 1 insertion(+), 3 deletions(-)
>
> diff --git a/runqueue.c b/runqueue.c
> index a1d0133..4c621aa 100644
> --- a/runqueue.c
> +++ b/runqueue.c
> @@ -196,11 +196,9 @@ void runqueue_task_kill(struct runqueue_task *t)
> if (!t->queued)
> return;
>
> - runqueue_task_complete(t);
> if (running && t->type->kill)
> t->type->kill(q, t);
> -
> - runqueue_start_next(q);
> + runqueue_task_complete(t);
> }
>
> void runqueue_stop(struct runqueue *q)
Hi,
runqueue_task_complete() will decrement running which, if called after the kill clause might not even trigger the kill() call. I am assuming you are running a custom runqueue_task_type ?
John
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list