Add client references
We have a use-after-free in the fio_handle_clients() loop.
If we receive a QUIT command, we remove the client in
fio_handle_client(). But fio_handle_clients() doesn't
have a way to detect this, so it checks client->error
after it has potentially been freed.
Add a simple reference to get rid of this problem.
Signed-off-by: Jens Axboe <axboe@kernel.dk>
diff --git a/client.c b/client.c
index a65cbcb..b0ccad0 100644
--- a/client.c
+++ b/client.c
@@ -93,8 +93,10 @@
flist_for_each(entry, &client_hash[bucket]) {
client = flist_entry(entry, struct fio_client, hash_list);
- if (client->fd == fd)
+ if (client->fd == fd) {
+ client->refs++;
return client;
+ }
}
return NULL;
@@ -102,6 +104,11 @@
static void remove_client(struct fio_client *client)
{
+ assert(client->refs);
+
+ if (--client->refs)
+ return;
+
dprint(FD_NET, "client: removed <%s>\n", client->hostname);
flist_del(&client->list);
@@ -123,6 +130,11 @@
sum_stat_clients--;
}
+static void put_client(struct fio_client *client)
+{
+ remove_client(client);
+}
+
static void __fio_client_add_cmd_option(struct fio_client *client,
const char *opt)
{
@@ -187,6 +199,7 @@
client->fd = -1;
client->ops = ops;
+ client->refs = 1;
__fio_client_add_cmd_option(client, "fio");
@@ -235,6 +248,7 @@
client->fd = -1;
client->ops = ops;
+ client->refs = 1;
__fio_client_add_cmd_option(client, "fio");
@@ -1116,6 +1130,7 @@
retval = 1;
} else if (client->error)
retval = 1;
+ put_client(client);
}
}