volmonitor copy link before calling free

Copy tt->next before TRELE(tt) calls free(tt).

We have a core file from a VTRANS_OBJ_LOCK(tt) assert failure, with tt
pointing into glibc's malloc data structures.
(cherry picked from commit 81ca1e19600681a2c5696610130b9a39809bb1c1)

Change-Id: I5ba81f9e3a76f52578ab3b9dec394b6d95b03934
Reviewed-on: http://gerrit.openafs.org/1586
Reviewed-by: Dan Hyde <drh@umich.edu>
Tested-by: Dan Hyde <drh@umich.edu>
Reviewed-by: Derrick Brashear <shadow@dementia.org>
(cherry picked from commit 0583af324ca2cbc556722b9e84d85cad49cfc622)

diff --git a/src/volser/volprocs.c b/src/volser/volprocs.c
index 48cd7a0c332a6d11a2c24eb4a0eab608f9be4da6..bdf5ab1efb931023deae1c0ede898c3bf4c5b28b 100644 (file)
--- a/src/volser/volprocs.c
+++ b/src/volser/volprocs.c
@@ -2642,7 +2642,7 @@ VolMonitor(struct rx_call *acid, transDebugEntries *transInfo)
 {
     transDebugInfo *pntr;
     afs_int32 allocSize = 50;
-    struct volser_trans *tt, *allTrans;
+    struct volser_trans *tt, *nt, *allTrans;
 
     transInfo->transDebugEntries_val =
        (transDebugInfo *) malloc(allocSize * sizeof(transDebugInfo));
@@ -2655,8 +2655,9 @@ VolMonitor(struct rx_call *acid, transDebugEntries *transInfo)
     allTrans = TransList();
     if (allTrans == (struct volser_trans *)0)
        goto done;              /*no active transactions */
-    for (tt = allTrans; tt; tt = tt->next) {   /*copy relevant info into pntr */
+    for (tt = allTrans; tt; tt = nt) { /*copy relevant info into pntr */
         THOLD(tt);  /* do not delete tt while copying info */
+       nt = tt->next;
         VTRANS_UNLOCK;
         VTRANS_OBJ_LOCK(tt);
        pntr->tid = tt->tid;