runqueue: fix use-after-free bug
[project/libubox.git] / ustream-fd.c
index 93fd501..b546fa1 100644 (file)
@@ -25,7 +25,7 @@ static void ustream_fd_set_uloop(struct ustream *s, bool write)
 {
        struct ustream_fd *sf = container_of(s, struct ustream_fd, stream);
        struct ustream_buf *buf;
-       unsigned int flags = ULOOP_EDGE_TRIGGER;
+       unsigned int flags = ULOOP_EDGE_TRIGGER | ULOOP_ERROR_CB;
 
        if (!s->read_blocked && !s->eof)
                flags |= ULOOP_READ;
@@ -35,9 +35,6 @@ static void ustream_fd_set_uloop(struct ustream *s, bool write)
                flags |= ULOOP_WRITE;
 
        uloop_fd_add(&sf->fd, flags);
-
-       if (flags & ULOOP_READ)
-               sf->fd.cb(&sf->fd, ULOOP_READ);
 }
 
 static void ustream_fd_set_read_blocked(struct ustream *s)
@@ -53,22 +50,30 @@ static void ustream_fd_read_pending(struct ustream_fd *sf, bool *more)
        char *buf;
 
        do {
+               if (s->read_blocked)
+                       break;
+
                buf = ustream_reserve(s, 1, &buflen);
                if (!buf)
                        break;
 
                len = read(sf->fd.fd, buf, buflen);
-               if (!len) {
-                       sf->fd.eof = true;
-                       return;
-               }
-
                if (len < 0) {
                        if (errno == EINTR)
                                continue;
 
-                       if (errno == EAGAIN)
+                       if (errno == EAGAIN || errno == ENOTCONN)
                                return;
+
+                       len = 0;
+               }
+
+               if (!len) {
+                       if (!s->eof)
+                               ustream_state_change(s);
+                       s->eof = true;
+                       ustream_fd_set_uloop(s, false);
+                       return;
                }
 
                ustream_fill_read(s, len);
@@ -79,48 +84,53 @@ static void ustream_fd_read_pending(struct ustream_fd *sf, bool *more)
 static int ustream_fd_write(struct ustream *s, const char *buf, int buflen, bool more)
 {
        struct ustream_fd *sf = container_of(s, struct ustream_fd, stream);
-       ssize_t len;
+       ssize_t ret = 0, len;
 
        if (!buflen)
                return 0;
 
-retry:
-       len = write(sf->fd.fd, buf, buflen);
-       if (!len)
-               goto retry;
+       while (buflen) {
+               len = write(sf->fd.fd, buf, buflen);
+
+               if (len < 0) {
+                       if (errno == EINTR)
+                               continue;
+
+                       if (errno == EAGAIN || errno == EWOULDBLOCK || errno == ENOTCONN)
+                               break;
 
-       if (len < 0) {
-               if (errno == EINTR)
-                       goto retry;
+                       return -1;
+               }
 
-               if (errno == EAGAIN || errno == EWOULDBLOCK)
-                       len = 0;
+               ret += len;
+               buf += len;
+               buflen -= len;
        }
 
-       if (len >= 0 && len < buflen)
+       if (buflen)
                ustream_fd_set_uloop(s, true);
 
-       return len;
+       return ret;
 }
 
 static bool __ustream_fd_poll(struct ustream_fd *sf, unsigned int events)
 {
        struct ustream *s = &sf->stream;
-       struct uloop_fd *fd = &sf->fd;
        bool more = false;
 
        if (events & ULOOP_READ)
                ustream_fd_read_pending(sf, &more);
 
        if (events & ULOOP_WRITE) {
-               if (!ustream_write_pending(s))
+               bool no_more = ustream_write_pending(s);
+               if (no_more)
                        ustream_fd_set_uloop(s, false);
        }
 
-       if (!s->eof && fd->eof) {
-               s->eof = true;
-               ustream_fd_set_uloop(s, false);
+       if (sf->fd.error && !s->write_error) {
                ustream_state_change(s);
+               s->write_error = true;
+               ustream_fd_set_uloop(s, false);
        }
 
        return more;