If RPC use udp as it's transport protocol, transport->connect_worker
will call xs_udp_setup_socket.
xs_udp_setup_socket
sock = xs_create_sock
if (IS_ERR(sock))
goto out;
out:
xprt_unlock_connect
xprt_schedule_autodisconnect
mod_timer
internal_add_timer -->insert xprt->timer to base timer list
xs_destroy
cancel_delayed_work_sync(&transport->connect_worker)
xs_xprt_free(xprt) -->free xprt
Thus use-after-free will happen.
Signed-off-by: Zheng Bin <zhengbin13@xxxxxxxxxx>
---
net/sunrpc/xprtsock.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c
index 845d0be805ec..c796808e7f7a 100644
--- a/net/sunrpc/xprtsock.c
+++ b/net/sunrpc/xprtsock.c
@@ -1242,6 +1242,7 @@ static void xs_destroy(struct rpc_xprt *xprt)
dprintk("RPC: xs_destroy xprt %p\n", xprt);
cancel_delayed_work_sync(&transport->connect_worker);
+ del_timer_sync(&xprt->timer);
xs_close(xprt);
cancel_work_sync(&transport->recv_worker);
cancel_work_sync(&transport->error_worker);
--
2.26.0.106.g9fadedd
