From: Felix Fietkau <nbd@nbd.name>
Date: Wed, 14 Jun 2017 10:08:42 +0000 (+0200)
Subject: runqueue: fix use-after-free bug
X-Git-Url: http://git.archive.openwrt.org/?p=project%2Flibubox.git;a=commitdiff_plain;h=6a7fb7d8df308d18167051447fa489de389588df;hp=368fd2645878edadc72c60948d1f19c6769751d6

runqueue: fix use-after-free bug

Calling t->complete in runqueue_task_complete can free the memory
associated with t. Change the runqueue_start_next accordingly.

Fixes https://github.com/openwrt/openwrt/issues/493

Signed-off-by: Felix Fietkau <nbd@nbd.name>
---

diff --git a/runqueue.c b/runqueue.c
index 1d9fa4b..a1d0133 100644
--- a/runqueue.c
+++ b/runqueue.c
@@ -232,7 +232,7 @@ void runqueue_task_complete(struct runqueue_task *t)
 	t->cancelled = false;
 	if (t->complete)
 		t->complete(q, t);
-	runqueue_start_next(t->q);
+	runqueue_start_next(q);
 }
 
 static void