[OpenWrt-Devel] [PATCH] runqueue: Fix the callbacks order in runqueue_task_kill()

Petr Štetiar ynezz at true.cz
Wed Mar 11 10:54:33 EDT 2020

Alban <albeu at free.fr> [2019-07-01 16:23:42]:


sorry for the late response, but I've just noticed, that it's related to
libubox and got interested. I would use "PATCH libubox" subject next time so
it's more clear at first sight.

> No, TBH I haven't tested this, but as there is no documentation I had
> to go through the code and noticed this suspicious construct. I then
> saw commit 6a7fb7d8d (runqueue: fix use-after-free bug) which confirmed
> that complete() is expected to free the task struct, which with the
> above code will clearly lead to an access after free.

Can I kindly ask you for additional favor, adding unit test case which would
expose this bug? It's going to help us in the future with possible regressions
etc. It's not mandatory (yet), but really nice and really helps
merging/reviewing the changes much faster (at least for me).

libubox contains unit tests already, tests are run on CI[1] automatically, one
of the test runs happens under Valgrind, another under various clang's
sanitizers, which should hopefully catch this use-after-free bugs.

You can find basic unit test for runqueue component in
`tests/test-runqueue.c`, perhaps you could adjust this test directly (or write
new one) in order to expose the bug.


1. http://lists.infradead.org/pipermail/openwrt-devel/2019-December/020831.html

-- ynezz
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20200311/e3dd794c/attachment.sig>
-------------- next part --------------
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org

More information about the openwrt-devel mailing list