From 42d745387a0b75f539b6ad45e32305199b59c53a Mon Sep 17 00:00:00 2001 From: Quentin Young Date: Fri, 1 Dec 2017 14:44:32 -0500 Subject: [PATCH] lib: avoid crash when cancelling invalid rw job There are some observed instances where we end up trying to cancel a rw job based on a file descriptor that we don't have a reference on. The specific cancel function for rw jobs assumes it's called with a file descriptor that is valid within pollfds and will cause a segmentation fault by buffer overrun if this is not the case. Instead log it and move on. Since the fd does not exist this should patch over the buggy behavior and provide additional information to help in finding the root cause. Reviewed-by: Donald Sharp Signed-off-by: Quentin Young --- lib/thread.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/lib/thread.c b/lib/thread.c index d26db88550..9d64663d9c 100644 --- a/lib/thread.c +++ b/lib/thread.c @@ -919,6 +919,8 @@ struct thread *funcname_thread_add_event(struct thread_master *m, */ static void thread_cancel_rw(struct thread_master *master, int fd, short state) { + bool found = false; + /* Cancel POLLHUP too just in case some bozo set it */ state |= POLLHUP; @@ -926,8 +928,18 @@ static void thread_cancel_rw(struct thread_master *master, int fd, short state) nfds_t i; for (i = 0; i < master->handler.pfdcount; i++) - if (master->handler.pfds[i].fd == fd) + if (master->handler.pfds[i].fd == fd) { + found = true; break; + } + + if (!found) { + zlog_debug( + "[!] Received cancellation request for nonexistent rw job"); + zlog_debug("[!] threadmaster: %s | fd: %d", + master->name ? master->name : "", fd); + return; + } /* NOT out event. */ master->handler.pfds[i].events &= ~(state);