diff options
author | Kinglong Mee <mijinlong@open-fs.com> | 2017-12-23 23:18:14 -0500 |
---|---|---|
committer | Raghavendra G <rgowdapp@redhat.com> | 2017-12-27 16:29:18 +0000 |
commit | 98bbc3c94244b6bc9fd18b698ad26e2c867ca63e (patch) | |
tree | b340d615535b97d1594f79850e1ba0f5a286b0f1 | |
parent | c6aad575171d4749d1ef2b5fc7c9fd7c32c1c59f (diff) |
rpc: fix use after freed of clnt after rpc transport clenup
If the transport object is freed in rpc_transport_unref,
a notify of RPC_TRANSPORT_CLEANUP is push to rpc_clnt_notify,
where the rpc_clnt(contains conn) is freed.
After that, using of conn after rpc_transport_unref is use after freed.
Change-Id: I5cac8a8e7ced7c1079930080a12abf02d46667d5
Signed-off-by: Kinglong Mee <mijinlong@open-fs.com>
-rw-r--r-- | rpc/rpc-lib/src/rpc-clnt.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/rpc/rpc-lib/src/rpc-clnt.c b/rpc/rpc-lib/src/rpc-clnt.c index 06aed0a80ae..498f6b05f92 100644 --- a/rpc/rpc-lib/src/rpc-clnt.c +++ b/rpc/rpc-lib/src/rpc-clnt.c @@ -1764,8 +1764,11 @@ rpc_clnt_trigger_destroy (struct rpc_clnt *rpc) /* This is to account for rpc_clnt_disable that might have been called * before rpc_clnt_unref */ if (trans) { - rpc_transport_unref (trans); + /* set conn->trans to NULL before rpc_transport_unref + * as rpc_transport_unref can potentially free conn + */ conn->trans = NULL; + rpc_transport_unref (trans); } } |