[PATCH] bugfix: invalid use of cb in io_thread after suspension of the thread

[PATCH] bugfix: invalid use of cb in io_thread after suspension of the thread

[Jens Gustedt]

It seems that the buffer variable to which cb is pointing can be recycled
since long when the thread returns from the previous call to wake. At
least valgrind found that the address that cb was pointing to at line in
question hasn't been returned by malloc since long time before.

The fix is easy: the event structure has been copied onto the stack of
the thread, anyhow, so just use that copy.
---
 src/aio/aio_readwrite.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/aio/aio_readwrite.c b/src/aio/aio_readwrite.c
index e4c95aa..666372d 100644
--- a/src/aio/aio_readwrite.c
+++ b/src/aio/aio_readwrite.c
@@ -51,7 +51,7 @@ static void *io_thread(void *p)
 
 	__aio_wake();
 
-	switch (cb->aio_sigevent.sigev_notify) {
+	switch (sev.sigev_notify) {
 	case SIGEV_SIGNAL:
 		notify_signal(&sev);
 		break;
-- 
1.7.9.5

Re: [PATCH] bugfix: invalid use of cb in io_thread after suspension of the thread

[Rich Felker]

On Sun, Jun 16, 2013 at 11:55:22AM +0200, Jens Gustedt wrote:
> It seems that the buffer variable to which cb is pointing can be recycled
> since long when the thread returns from the previous call to wake. At

It's not just the call to wake. Accessing cb is invalid immediately
after the a_store to cb->__err.

> The fix is easy: the event structure has been copied onto the stack of
> the thread, anyhow, so just use that copy.

Agreed. I'm applying the fix.

Rich