From 1d4845069e0ed59c852fb38f9d17db65ddacd73b Mon Sep 17 00:00:00 2001
From: Jens Axboe <axboe@kernel.dk>
Date: Thu, 30 Nov 2017 19:50:34 -0700
Subject: [PATCH] client: fix use-after-free for client timeout

We free the reply, but if it times out, we dereference it afterwards.
Store the opcode before calling into handle_cmd_timeout().

Signed-off-by: Jens Axboe <axboe@kernel.dk>
---
 client.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/client.c b/client.c
index 3b54bfdf..2b136a0f 100644
--- a/client.c
+++ b/client.c
@@ -1903,16 +1903,19 @@ static int client_check_cmd_timeout(struct fio_client *client,
 	int ret = 0;
 
 	flist_for_each_safe(entry, tmp, &client->cmd_list) {
+		unsigned int op;
+
 		reply = flist_entry(entry, struct fio_net_cmd_reply, list);
 
 		if (mtime_since(&reply->ts, now) < FIO_NET_CLIENT_TIMEOUT)
 			continue;
 
+		op = reply->opcode;
 		if (!handle_cmd_timeout(client, reply))
 			continue;
 
 		log_err("fio: client %s, timeout on cmd %s\n", client->hostname,
-						fio_server_op(reply->opcode));
+						fio_server_op(op));
 		ret = 1;
 	}
 
-- 
2.25.1