From 8f689aec1499fa0c8d1b49cff1a51a9f0dcd8890 Mon Sep 17 00:00:00 2001
From: Dan Hyde <drh@umich.edu>
Date: Wed, 6 Jan 2010 10:49:39 -0500
Subject: [PATCH] volmonitor copy link before calling free

Copy tt->next before TRELE(tt) calls free(tt).

We have a core file from a VTRANS_OBJ_LOCK(tt) assert failure, with tt
pointing into glibc's malloc data structures.

Change-Id: Id52b774520c59c224b58f5d507cc490dafea5ca1
Reviewed-on: http://gerrit.openafs.org/1069
Reviewed-by: Andrew Deason <adeason@sinenomine.net>
Tested-by: Andrew Deason <adeason@sinenomine.net>
Reviewed-by: Thomas L. Kula <tkula@umich.edu>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Reviewed-by: Dan Hyde <drh@umich.edu>
Reviewed-by: Derrick Brashear <shadow@dementia.org>
---
 src/volser/volprocs.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/volser/volprocs.c b/src/volser/volprocs.c
index 9afc8995a..6ead0a5cc 100644
--- a/src/volser/volprocs.c
+++ b/src/volser/volprocs.c
@@ -2701,7 +2701,7 @@ VolMonitor(struct rx_call *acid, transDebugEntries *transInfo)
 {
     transDebugInfo *pntr;
     afs_int32 allocSize = 50;
-    struct volser_trans *tt, *allTrans;
+    struct volser_trans *tt, *nt, *allTrans;
 
     transInfo->transDebugEntries_val =
 	(transDebugInfo *) malloc(allocSize * sizeof(transDebugInfo));
@@ -2714,8 +2714,9 @@ VolMonitor(struct rx_call *acid, transDebugEntries *transInfo)
     allTrans = TransList();
     if (allTrans == (struct volser_trans *)0)
 	goto done;		/*no active transactions */
-    for (tt = allTrans; tt; tt = tt->next) {	/*copy relevant info into pntr */
+    for (tt = allTrans; tt; tt = nt) {	/*copy relevant info into pntr */
         THOLD(tt);  /* do not delete tt while copying info */
+	nt = tt->next;
         VTRANS_UNLOCK;
         VTRANS_OBJ_LOCK(tt);
 	pntr->tid = tt->tid;
-- 
2.39.5