From 6a7fb7d8df308d18167051447fa489de389588df Mon Sep 17 00:00:00 2001
From: Felix Fietkau <nbd@nbd.name>
Date: Wed, 14 Jun 2017 12:08:42 +0200
Subject: [PATCH] runqueue: fix use-after-free bug

Calling t->complete in runqueue_task_complete can free the memory
associated with t. Change the runqueue_start_next accordingly.

Fixes https://github.com/openwrt/openwrt/issues/493

Signed-off-by: Felix Fietkau <nbd@nbd.name>
---
 runqueue.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/runqueue.c b/runqueue.c
index 1d9fa4b..a1d0133 100644
--- a/runqueue.c
+++ b/runqueue.c
@@ -232,7 +232,7 @@ void runqueue_task_complete(struct runqueue_task *t)
 	t->cancelled = false;
 	if (t->complete)
 		t->complete(q, t);
-	runqueue_start_next(t->q);
+	runqueue_start_next(q);
 }
 
 static void
-- 
2.11.0