From: David Herrmann <dh.herrmann@gmail.com>
Date: Thu, 23 Oct 2014 12:01:03 +0000 (+0200)
Subject: connection: hold conn_reply ref on reply_wake
X-Git-Tag: upstream/0.20141102.012929utc~35
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=3b3c0413ac3850c9c28ebecd406d0471169d64a5;p=platform%2Fcore%2Fsystem%2Fkdbus-bus.git

connection: hold conn_reply ref on reply_wake

We pass reply_wake around without holding any locks. It might get
destructed by parallel timeouts of other replies that are faster than we
are. Make sure we hold a reference to avoid those races.

Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
---

diff --git a/connection.c b/connection.c
index 091c0b0..ad467ea 100644
--- a/connection.c
+++ b/connection.c
@@ -426,7 +426,7 @@ static int kdbus_conn_check_access(struct kdbus_ep *ep,
 			if (r->reply_dst == conn_dst &&
 			    r->cookie == msg->cookie_reply) {
 				if (r->sync) {
-					*reply_wake = r;
+					*reply_wake = kdbus_conn_reply_ref(r);
 				} else {
 					list_del_init(&r->entry);
 					kdbus_conn_reply_unref(r);
@@ -826,6 +826,8 @@ int kdbus_conn_kmsg_send(struct kdbus_ep *ep,
 		kdbus_conn_reply_sync(reply_wake, ret);
 		mutex_unlock(&conn_dst->lock);
 
+		kdbus_conn_reply_unref(reply_wake);
+
 		if (ret < 0)
 			goto exit_unref;
 	} else {