From 3b3c0413ac3850c9c28ebecd406d0471169d64a5 Mon Sep 17 00:00:00 2001
From: David Herrmann <dh.herrmann@gmail.com>
Date: Thu, 23 Oct 2014 14:01:03 +0200
Subject: [PATCH] connection: hold conn_reply ref on reply_wake

We pass reply_wake around without holding any locks. It might get
destructed by parallel timeouts of other replies that are faster than we
are. Make sure we hold a reference to avoid those races.

Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
---
 connection.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/connection.c b/connection.c
index 091c0b0..ad467ea 100644
--- a/connection.c
+++ b/connection.c
@@ -426,7 +426,7 @@ static int kdbus_conn_check_access(struct kdbus_ep *ep,
 			if (r->reply_dst == conn_dst &&
 			    r->cookie == msg->cookie_reply) {
 				if (r->sync) {
-					*reply_wake = r;
+					*reply_wake = kdbus_conn_reply_ref(r);
 				} else {
 					list_del_init(&r->entry);
 					kdbus_conn_reply_unref(r);
@@ -826,6 +826,8 @@ int kdbus_conn_kmsg_send(struct kdbus_ep *ep,
 		kdbus_conn_reply_sync(reply_wake, ret);
 		mutex_unlock(&conn_dst->lock);
 
+		kdbus_conn_reply_unref(reply_wake);
+
 		if (ret < 0)
 			goto exit_unref;
 	} else {
-- 
2.34.1