From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/3415 Path: news.gmane.org!not-for-mail From: Jens Gustedt Newsgroups: gmane.linux.lib.musl.general Subject: [PATCH] bugfix: invalid use of cb in io_thread after suspension of the thread Date: Sun, 16 Jun 2013 11:55:22 +0200 Message-ID: <1371376451.16425.370.camel@eris.loria.fr> Reply-To: musl@lists.openwall.com NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Transfer-Encoding: 7bit X-Trace: ger.gmane.org 1371376537 2586 80.91.229.3 (16 Jun 2013 09:55:37 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Sun, 16 Jun 2013 09:55:37 +0000 (UTC) To: musl@lists.openwall.com Original-X-From: musl-return-3419-gllmg-musl=m.gmane.org@lists.openwall.com Sun Jun 16 11:55:38 2013 Return-path: Envelope-to: gllmg-musl@plane.gmane.org Original-Received: from mother.openwall.net ([195.42.179.200]) by plane.gmane.org with smtp (Exim 4.69) (envelope-from ) id 1Uo9gQ-0005C8-9r for gllmg-musl@plane.gmane.org; Sun, 16 Jun 2013 11:55:38 +0200 Original-Received: (qmail 11896 invoked by uid 550); 16 Jun 2013 09:55:37 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: Original-Received: (qmail 11888 invoked from network); 16 Jun 2013 09:55:37 -0000 X-IronPort-AV: E=Sophos;i="4.87,874,1363129200"; d="scan'208";a="22016709" Resent-From: Jens Gustedt Resent-To: musl@lists.openwall.com X-Mailer: Evolution 3.2.3-0ubuntu6 Xref: news.gmane.org gmane.linux.lib.musl.general:3415 Archived-At: It seems that the buffer variable to which cb is pointing can be recycled since long when the thread returns from the previous call to wake. At least valgrind found that the address that cb was pointing to at line in question hasn't been returned by malloc since long time before. The fix is easy: the event structure has been copied onto the stack of the thread, anyhow, so just use that copy. --- src/aio/aio_readwrite.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/aio/aio_readwrite.c b/src/aio/aio_readwrite.c index e4c95aa..666372d 100644 --- a/src/aio/aio_readwrite.c +++ b/src/aio/aio_readwrite.c @@ -51,7 +51,7 @@ static void *io_thread(void *p) __aio_wake(); - switch (cb->aio_sigevent.sigev_notify) { + switch (sev.sigev_notify) { case SIGEV_SIGNAL: notify_signal(&sev); break; -- 1.7.9.5