libosmocore[master]: fsm: fix double llist_del in osmo_fsm_inst_term()

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

dexter gerrit-no-reply at lists.osmocom.org
Wed Jan 17 13:23:11 UTC 2018


Patch Set 1:

> llist_del Form an empty list is a safe Operation. So is tzhis a
> purely cosmetic fix orcdid you See any real world issue?

Yes, https://gerrit.osmocom.org/5832 causes a segfault in osmo_fsm_inst_term() when osmo_fsm_inst_unlink_parent() was called before.

I see a problem with llist_del() in linuxlist.h. llist_del() overwrites entry->next and entry->prev with LLIST_POISONn values. But before doing this it executes __list_del() which dereferences entry->prev and entry->next. When we run llist_del() a second time we segfault because we try to dereference ethe LLIST_POISONn addresses we assigned to the pointers last time.

We could check the addresses in llist_del() but I did not want to change the behaviour of llist_del(), probably there is a good reason why it is built that way.

-- 
To view, visit https://gerrit.osmocom.org/5831
To unsubscribe, visit https://gerrit.osmocom.org/settings

Gerrit-MessageType: comment
Gerrit-Change-Id: I4b33d508c8a11b72fbf30125088a882894d9e6ac
Gerrit-PatchSet: 1
Gerrit-Project: libosmocore
Gerrit-Branch: master
Gerrit-Owner: dexter <pmaier at sysmocom.de>
Gerrit-Reviewer: Harald Welte <laforge at gnumonks.org>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: dexter <pmaier at sysmocom.de>
Gerrit-HasComments: No



More information about the gerrit-log mailing list