Fix SIGSEGV in eloop during shutdown

eloop_destroy() frees the eloop.signals array but was not unregistering
the signal handlers. A signal received during shutdown could trigger
eloop_handle_signal(), accessing the freed memory and causing a crash
(Use-After-Free).

This fix unregisters all signals (resets to SIG_DFL) in eloop_destroy()
before freeing eloop.signals to ensure safe shutdown.

Signed-off-by: Priyansha Tiwari <pritiwa@qti.qualcomm.com>

diff --git a/src/utils/eloop.c b/src/utils/eloop.c
index 250f1543ce8cba06dddd299240166e59b8238258..fdbb95fa430a898e66fc930d119ccb57bf0e2e58 100644 (file)
--- a/src/utils/eloop.c
+++ b/src/utils/eloop.c
@@ -1267,6 +1267,7 @@ void eloop_destroy(void)
 {
        struct eloop_timeout *timeout, *prev;
        struct os_reltime now;
+       size_t i;
 
        os_get_reltime(&now);
        dl_list_for_each_safe(timeout, prev, &eloop.timeout,
@@ -1290,6 +1291,10 @@ void eloop_destroy(void)
        eloop_sock_table_destroy(&eloop.readers);
        eloop_sock_table_destroy(&eloop.writers);
        eloop_sock_table_destroy(&eloop.exceptions);
+
+       for (i = 0; i < eloop.signal_count; i++)
+               signal(eloop.signals[i].sig, SIG_DFL);
+
        os_free(eloop.signals);
 
 #ifdef CONFIG_ELOOP_POLL