From patchwork Mon Jun 26 14:26:09 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Phil Blundell X-Patchwork-Id: 21265 Received: (qmail 52127 invoked by alias); 26 Jun 2017 14:26:17 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Delivered-To: mailing list libc-alpha@sourceware.org Received: (qmail 52000 invoked by uid 89); 26 Jun 2017 14:26:16 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-25.9 required=5.0 tests=BAYES_00, GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3, KAM_LAZY_DOMAIN_SECURITY, RP_MATCHES_RCVD autolearn=ham version=3.3.2 spammy=H*r:7889, HContent-Transfer-Encoding:8bit X-HELO: hetzner.pbcl.net Message-ID: <1498487169.6717.64.camel@pbcl.net> Subject: Re: gai_cancel() From: Phil Blundell To: Florian Weimer , libc-alpha@sourceware.org Date: Mon, 26 Jun 2017 15:26:09 +0100 In-Reply-To: <1497874716.6717.39.camel@pbcl.net> References: <1497627984.6717.32.camel@pbcl.net> <1497870281.6717.37.camel@pbcl.net> <1497874716.6717.39.camel@pbcl.net> Mime-Version: 1.0 On Mon, 2017-06-19 at 13:18 +0100, Phil Blundell wrote: > On Mon, 2017-06-19 at 12:04 +0100, Phil Blundell wrote: > > Under conditions that I don't entirely understand yet, we seem to > > be somehow returning from gai_suspend while its waitlist[] entry is > > still linked into requestlist->waiting.  > > Here's a patch that fixes bug 20874 for me, fwiw.  It still passes > "make subdirs='resolv' xcheck".  > > OK to commit? Ping? 2017-06-26 Phil Blundell * resolv/gai_suspend.c (gai_suspend): Ensure we always remove the entry we added to the waitlist before returning. From 6e5dbbcfc0594dad90dc6f8b4537dba26bceb428 Mon Sep 17 00:00:00 2001 From: Phil Blundell Date: Mon, 19 Jun 2017 13:11:00 +0100 Subject: [PATCH] gai_suspend: Remove bogus check for EAI_INPROGRESS [BZ #20874] If we added an entry to the waitlist for any request, it is important that we remove it again before returning. Failing to do so will cause obscure and hard-to-debug crashes because the linked list will contain a pointer to a struct that was assigned on the stack and has since been overwritten. Although we check that the current "return value" of the request is EAI_INPROGRESS before adding an entry to its waitlist, this value may change while we sleep so we cannot assume it will still be EAI_INPROGRESS when we come to remove the entry afterwards. --- resolv/gai_suspend.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/resolv/gai_suspend.c b/resolv/gai_suspend.c index a86bd4360d..139d636c78 100644 --- a/resolv/gai_suspend.c +++ b/resolv/gai_suspend.c @@ -111,8 +111,7 @@ gai_suspend (const struct gaicb *const list[], int ent, /* Now remove the entry in the waiting list for all requests which didn't terminate. */ for (cnt = 0; cnt < ent; ++cnt) - if (list[cnt] != NULL && list[cnt]->__return == EAI_INPROGRESS - && requestlist[cnt] != NULL) + if (list[cnt] != NULL && requestlist[cnt] != NULL) { struct waitlist **listp = &requestlist[cnt]->waiting;