From patchwork Mon Jun 19 12:18:36 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Phil Blundell X-Patchwork-Id: 21074 Received: (qmail 124428 invoked by alias); 19 Jun 2017 12:18:38 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Delivered-To: mailing list libc-alpha@sourceware.org Received: (qmail 122819 invoked by uid 89); 19 Jun 2017 12:18:37 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-25.9 required=5.0 tests=BAYES_00, GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3, KAM_LAZY_DOMAIN_SECURITY, T_RP_MATCHES_RCVD autolearn=ham version=3.3.2 spammy= X-HELO: hetzner.pbcl.net Message-ID: <1497874716.6717.39.camel@pbcl.net> Subject: Re: gai_cancel() From: Phil Blundell To: Florian Weimer , libc-alpha@sourceware.org Date: Mon, 19 Jun 2017 13:18:36 +0100 In-Reply-To: <1497870281.6717.37.camel@pbcl.net> References: <1497627984.6717.32.camel@pbcl.net> <1497870281.6717.37.camel@pbcl.net> Mime-Version: 1.0 On Mon, 2017-06-19 at 12:04 +0100, Phil Blundell wrote: > Under conditions that I don't entirely understand yet, we seem to be > somehow returning from gai_suspend while its waitlist[] entry is > still > linked into requestlist->waiting.  Here's a patch that fixes bug 20874 for me, fwiw. It still passes "make subdirs='resolv' xcheck".  OK to commit? Phil From 6e5dbbcfc0594dad90dc6f8b4537dba26bceb428 Mon Sep 17 00:00:00 2001 From: Phil Blundell Date: Mon, 19 Jun 2017 13:11:00 +0100 Subject: [PATCH] gai_suspend: Remove bogus check for EAI_INPROGRESS [BZ #20874] If we added an entry to the waitlist for any request, it is important that we remove it again before returning. Failing to do so will cause obscure and hard-to-debug crashes because the linked list will contain a pointer to a struct that was assigned on the stack and has since been overwritten. Although we check that the current "return value" of the request is EAI_INPROGRESS before adding an entry to its waitlist, this value may change while we sleep so we cannot assume it will still be EAI_INPROGRESS when we come to remove the entry afterwards. --- resolv/gai_suspend.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/resolv/gai_suspend.c b/resolv/gai_suspend.c index a86bd4360d..139d636c78 100644 --- a/resolv/gai_suspend.c +++ b/resolv/gai_suspend.c @@ -111,8 +111,7 @@ gai_suspend (const struct gaicb *const list[], int ent, /* Now remove the entry in the waiting list for all requests which didn't terminate. */ for (cnt = 0; cnt < ent; ++cnt) - if (list[cnt] != NULL && list[cnt]->__return == EAI_INPROGRESS - && requestlist[cnt] != NULL) + if (list[cnt] != NULL && requestlist[cnt] != NULL) { struct waitlist **listp = &requestlist[cnt]->waiting; -- 2.11.0