From: Zheng Bin <zhengbin13@huawei.com> hulk inclusion category: bugfix bugzilla: 35486 CVE: NA ----------------------------------------------- If RPC use udp as it's transport protocol, transport->connect_worker will call xs_udp_setup_socket. xs_setup_udp INIT_DELAYED_WORK(&transport->connect_worker, xs_udp_setup_socket) xs_connect | | queue_delayed_work| | |xprt_destroy | | wait_on_bit_lock(LOCKED) | | del_timer_sync(del timer) | | xprt_destroy_cb | | xs_destroy | | cancel_delayed_work_sync| | |xs_udp_setup_socket | | xprt_unlock_connect | | test_bit(XPRT_LOCKED(OK) | | xprt_schedule_autodisconnect | | mod_timer(insert timer to list) | xs_xprt_free(free xprt) | | | access timer(use-after-free) Delete xprt->timer to avoid this. Signed-off-by: Zheng Bin <zhengbin13@huawei.com> Reviewed-by: YueHaibing <yuehaibing@huawei.com> Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> --- net/sunrpc/xprtsock.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c index 627eb8337f3a..1f8d97084237 100644 --- a/net/sunrpc/xprtsock.c +++ b/net/sunrpc/xprtsock.c @@ -915,6 +915,7 @@ static void xs_destroy(struct rpc_xprt *xprt) dprintk("RPC: xs_destroy xprt %p\n", xprt); cancel_delayed_work_sync(&transport->connect_worker); + del_timer_sync(&xprt->timer); xs_close(xprt); cancel_work_sync(&transport->recv_worker); xs_xprt_free(xprt); -- 2.25.1