connection: hold conn_reply ref on reply_wake

We pass reply_wake around without holding any locks. It might get
destructed by parallel timeouts of other replies that are faster than we
are. Make sure we hold a reference to avoid those races.

Signed-off-by: David Herrmann <dh.herrmann@gmail.com>

diff --git a/connection.c b/connection.c
index 091c0b030684c8915ce6e451e3a2e8b802cd3696..ad467ea27ff0b9a3ac7e6c955752749f8fe1d9a1 100644 (file)
--- a/connection.c
+++ b/connection.c
@@ -426,7 +426,7 @@ static int kdbus_conn_check_access(struct kdbus_ep *ep,
                        if (r->reply_dst == conn_dst &&
                            r->cookie == msg->cookie_reply) {
                                if (r->sync) {
-                                       *reply_wake = r;
+                                       *reply_wake = kdbus_conn_reply_ref(r);
                                } else {
                                        list_del_init(&r->entry);
                                        kdbus_conn_reply_unref(r);
@@ -826,6 +826,8 @@ int kdbus_conn_kmsg_send(struct kdbus_ep *ep,
                kdbus_conn_reply_sync(reply_wake, ret);
                mutex_unlock(&conn_dst->lock);
 
+               kdbus_conn_reply_unref(reply_wake);
+
                if (ret < 0)
                        goto exit_unref;
        } else {