| Message ID | 20200604144910.133756-1-zhengbin13@huawei.com |
|---|---|
| State | New |
| Headers | show |
| Series | sunrpc: need delete xprt->timer in xs_destroy | expand |
diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c index 845d0be805ec..c796808e7f7a 100644 --- a/net/sunrpc/xprtsock.c +++ b/net/sunrpc/xprtsock.c @@ -1242,6 +1242,7 @@ static void xs_destroy(struct rpc_xprt *xprt) dprintk("RPC: xs_destroy xprt %p\n", xprt); cancel_delayed_work_sync(&transport->connect_worker); + del_timer_sync(&xprt->timer); xs_close(xprt); cancel_work_sync(&transport->recv_worker); cancel_work_sync(&transport->error_worker);
If RPC use udp as it's transport protocol, transport->connect_worker will call xs_udp_setup_socket. xs_udp_setup_socket sock = xs_create_sock if (IS_ERR(sock)) goto out; out: xprt_unlock_connect xprt_schedule_autodisconnect mod_timer internal_add_timer -->insert xprt->timer to base timer list xs_destroy cancel_delayed_work_sync(&transport->connect_worker) xs_xprt_free(xprt) -->free xprt Thus use-after-free will happen. Signed-off-by: Zheng Bin <zhengbin13@huawei.com> --- net/sunrpc/xprtsock.c | 1 + 1 file changed, 1 insertion(+) -- 2.26.0.106.g9fadedd