Fix: use after free of a relayd stream

[lttng-tools.git] / src / bin / lttng-relayd / main.c

diff --git a/src/bin/lttng-relayd/main.c b/src/bin/lttng-relayd/main.c
index 53eaca2cbf944327b95aa0fced58bb564bb8013f..d82a3412d7b8578be8f5b39abf0a9fd949ff07bc 100644 (file)
--- a/src/bin/lttng-relayd/main.c
+++ b/src/bin/lttng-relayd/main.c
@@ -1340,6 +1340,18 @@ int relay_close_stream(struct lttcomm_relayd_hdr *recv_hdr,
        session->stream_count--;
        assert(session->stream_count >= 0);
 
+       /*
+        * Remove the stream from the connection recv list since we are about to
+        * flag it invalid and thus might be freed. This has to be done here since
+        * only the control thread can do actions on that list.
+        *
+        * Note that this stream might NOT be in the list but we have to try to
+        * remove it here else this can race with the stream destruction freeing
+        * the object and the connection destroy doing a use after free when
+        * deleting the remaining nodes in this list.
+        */
+       cds_list_del(&stream->recv_list);
+
        /* Check if we can close it or else the data will do it. */
        try_close_stream(session, stream);
 
@@ -2389,7 +2401,7 @@ static void destroy_connection(struct lttng_ht *relay_connections_ht,
        connection_delete(relay_connections_ht, conn);
 
        /* For the control socket, we try to destroy the session. */
-       if (conn->type == RELAY_CONTROL) {
+       if (conn->type == RELAY_CONTROL && conn->session) {
                destroy_session(conn->session, conn->sessions_ht);
        }