Since commit 11e8afea (runqueue should cal the complete handler from
more places) the call to the complete() callback has been moved to
runqueue_task_complete(). However in runqueue_task_kill()
runqueue_task_complete() is called before the kill() callback.
This will result in a use after free if the complete() callback free
the task struct.
Furthermore runqueue_start_next() is already called at the end of
runqueue_task_complete(), so there is no need to call it again in
runqueue_task_kill().
Signed-off-by: Alban Bedel <al...@free.fr>
---
runqueue.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/runqueue.c b/runqueue.c
index a1d0133..4c621aa 100644
--- a/runqueue.c
+++ b/runqueue.c
@@ -196,11 +196,9 @@ void runqueue_task_kill(struct runqueue_task *t)
if (!t->queued)
return;
- runqueue_task_complete(t);
if (running && t->type->kill)
t->type->kill(q, t);
-
- runqueue_start_next(q);
+ runqueue_task_complete(t);
}
void runqueue_stop(struct runqueue *q)
--
2.20.1
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
