summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKinglong Mee <mijinlong@open-fs.com>2017-12-23 23:18:14 -0500
committerRaghavendra G <rgowdapp@redhat.com>2017-12-27 16:29:18 +0000
commit98bbc3c94244b6bc9fd18b698ad26e2c867ca63e (patch)
treeb340d615535b97d1594f79850e1ba0f5a286b0f1
parentc6aad575171d4749d1ef2b5fc7c9fd7c32c1c59f (diff)
rpc: fix use after freed of clnt after rpc transport clenup
If the transport object is freed in rpc_transport_unref, a notify of RPC_TRANSPORT_CLEANUP is push to rpc_clnt_notify, where the rpc_clnt(contains conn) is freed. After that, using of conn after rpc_transport_unref is use after freed. Change-Id: I5cac8a8e7ced7c1079930080a12abf02d46667d5 Signed-off-by: Kinglong Mee <mijinlong@open-fs.com>
-rw-r--r--rpc/rpc-lib/src/rpc-clnt.c5
1 files changed, 4 insertions, 1 deletions
diff --git a/rpc/rpc-lib/src/rpc-clnt.c b/rpc/rpc-lib/src/rpc-clnt.c
index 06aed0a80ae..498f6b05f92 100644
--- a/rpc/rpc-lib/src/rpc-clnt.c
+++ b/rpc/rpc-lib/src/rpc-clnt.c
@@ -1764,8 +1764,11 @@ rpc_clnt_trigger_destroy (struct rpc_clnt *rpc)
/* This is to account for rpc_clnt_disable that might have been called
* before rpc_clnt_unref */
if (trans) {
- rpc_transport_unref (trans);
+ /* set conn->trans to NULL before rpc_transport_unref
+ * as rpc_transport_unref can potentially free conn
+ */
conn->trans = NULL;
+ rpc_transport_unref (trans);
}
}