connection: kdbus_cmd_msg_recv(): fix use after free

diff --git a/connection.c b/connection.c
index b2a563475dfd6d117a657cd3179c529ed9bc32ff..49286eb917792b21b4a6b00401f8cb8c972f2bcd 100644 (file)
--- a/connection.c
+++ b/connection.c
@@ -1047,11 +1047,13 @@ int kdbus_cmd_msg_recv(struct kdbus_conn *conn,
 
                kdbus_conn_queue_remove(conn, queue);
                kdbus_pool_free_range(conn->pool, queue->off);
-               kdbus_conn_queue_cleanup(queue);
                mutex_unlock(&conn->lock);
 
                if (reply)
                        kdbus_conn_reply_free(reply);
+
+               kdbus_conn_queue_cleanup(queue);
+
                goto exit;
        }