From 98bbc3c94244b6bc9fd18b698ad26e2c867ca63e Mon Sep 17 00:00:00 2001
From: Kinglong Mee <mijinlong@open-fs.com>
Date: Sat, 23 Dec 2017 23:18:14 -0500
Subject: rpc: fix use after freed of clnt after rpc transport clenup

If the transport object is freed in rpc_transport_unref,
a notify of RPC_TRANSPORT_CLEANUP is push to rpc_clnt_notify,
where the rpc_clnt(contains conn) is freed.

After that, using of conn after rpc_transport_unref is use after freed.

Change-Id: I5cac8a8e7ced7c1079930080a12abf02d46667d5
Signed-off-by: Kinglong Mee <mijinlong@open-fs.com>
---
 rpc/rpc-lib/src/rpc-clnt.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'rpc/rpc-lib/src')

diff --git a/rpc/rpc-lib/src/rpc-clnt.c b/rpc/rpc-lib/src/rpc-clnt.c
index 06aed0a80ae..498f6b05f92 100644
--- a/rpc/rpc-lib/src/rpc-clnt.c
+++ b/rpc/rpc-lib/src/rpc-clnt.c
@@ -1764,8 +1764,11 @@ rpc_clnt_trigger_destroy (struct rpc_clnt *rpc)
         /* This is to account for rpc_clnt_disable that might have been called
          * before rpc_clnt_unref */
         if (trans) {
-                rpc_transport_unref (trans);
+                /* set conn->trans to NULL before rpc_transport_unref
+                 * as rpc_transport_unref can potentially free conn
+                 */
                 conn->trans = NULL;
+                rpc_transport_unref (trans);
         }
 }
 
-- 
cgit