We have a use-after-free in the fio_handle_clients() loop.
If we receive a QUIT command, we remove the client in
fio_handle_client(). But fio_handle_clients() doesn't
have a way to detect this, so it checks client->error
after it has potentially been freed.
Add a simple reference to get rid of this problem.
Signed-off-by: Jens Axboe <axboe@kernel.dk>
char *hostname;
int port;
int fd;
char *hostname;
int port;
int fd;
flist_for_each(entry, &client_hash[bucket]) {
client = flist_entry(entry, struct fio_client, hash_list);
flist_for_each(entry, &client_hash[bucket]) {
client = flist_entry(entry, struct fio_client, hash_list);
+ if (client->fd == fd) {
+ client->refs++;
static void remove_client(struct fio_client *client)
{
static void remove_client(struct fio_client *client)
{
+ assert(client->refs);
+
+ if (--client->refs)
+ return;
+
dprint(FD_NET, "client: removed <%s>\n", client->hostname);
flist_del(&client->list);
dprint(FD_NET, "client: removed <%s>\n", client->hostname);
flist_del(&client->list);
+static void put_client(struct fio_client *client)
+{
+ remove_client(client);
+}
+
static void __fio_client_add_cmd_option(struct fio_client *client,
const char *opt)
{
static void __fio_client_add_cmd_option(struct fio_client *client,
const char *opt)
{
return -1;
client->fd = -1;
return -1;
client->fd = -1;
__fio_client_add_cmd_option(client, "fio");
__fio_client_add_cmd_option(client, "fio");
retval = 1;
} else if (client->error)
retval = 1;
retval = 1;
} else if (client->error)
retval = 1;