From mboxrd@z Thu Jan  1 00:00:00 1970
X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/3423
Path: news.gmane.org!not-for-mail
From: Rich Felker <dalias@aerifal.cx>
Newsgroups: gmane.linux.lib.musl.general
Subject: Re: [PATCH] bugfix: invalid use of cb in io_thread after
 suspension of the thread
Date: Sun, 16 Jun 2013 10:38:30 -0400
Message-ID: <20130616143830.GN29800@brightrain.aerifal.cx>
References: <1371376451.16425.370.camel@eris.loria.fr>
Reply-To: musl@lists.openwall.com
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Trace: ger.gmane.org 1371393525 18698 80.91.229.3 (16 Jun 2013 14:38:45 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Sun, 16 Jun 2013 14:38:45 +0000 (UTC)
To: musl@lists.openwall.com
Original-X-From: musl-return-3427-gllmg-musl=m.gmane.org@lists.openwall.com Sun Jun 16 16:38:46 2013
Return-path: <musl-return-3427-gllmg-musl=m.gmane.org@lists.openwall.com>
Envelope-to: gllmg-musl@plane.gmane.org
Original-Received: from mother.openwall.net ([195.42.179.200])
	by plane.gmane.org with smtp (Exim 4.69)
	(envelope-from <musl-return-3427-gllmg-musl=m.gmane.org@lists.openwall.com>)
	id 1UoE6P-0004NT-4H
	for gllmg-musl@plane.gmane.org; Sun, 16 Jun 2013 16:38:45 +0200
Original-Received: (qmail 11595 invoked by uid 550); 16 Jun 2013 14:38:43 -0000
Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:musl@lists.openwall.com>
List-Help: <mailto:musl-help@lists.openwall.com>
List-Unsubscribe: <mailto:musl-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:musl-subscribe@lists.openwall.com>
Original-Received: (qmail 11587 invoked from network); 16 Jun 2013 14:38:43 -0000
Content-Disposition: inline
In-Reply-To: <1371376451.16425.370.camel@eris.loria.fr>
User-Agent: Mutt/1.5.21 (2010-09-15)
Xref: news.gmane.org gmane.linux.lib.musl.general:3423
Archived-At: <http://permalink.gmane.org/gmane.linux.lib.musl.general/3423>

On Sun, Jun 16, 2013 at 11:55:22AM +0200, Jens Gustedt wrote:
> It seems that the buffer variable to which cb is pointing can be recycled
> since long when the thread returns from the previous call to wake. At

It's not just the call to wake. Accessing cb is invalid immediately
after the a_store to cb->__err.

> The fix is easy: the event structure has been copied onto the stack of
> the thread, anyhow, so just use that copy.

Agreed. I'm applying the fix.

Rich