From 82766d1093daccc933bfcdae44d3634db61806fe Mon Sep 17 00:00:00 2001
From: Nikolaus Rath <Nikolaus@rath.org>
Date: Wed, 12 Jul 2017 16:43:23 +0200
Subject: sftp_readdir_async(): don't access request when it may have been
 freed

Fixes: #7
---
 ChangeLog.rst | 6 ++++++
 sshfs.c       | 7 ++++++-
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/ChangeLog.rst b/ChangeLog.rst
index b1f7b79..606fa9d 100644
--- a/ChangeLog.rst
+++ b/ChangeLog.rst
@@ -1,3 +1,9 @@
+Unreleased Changes
+------------------
+
+* Fixed a crash due to a race condition when listing
+  directory contents.
+
 Release 3.0.0 (2017-07-08)
 --------------------------
 
diff --git a/sshfs.c b/sshfs.c
index a20f727..f9ae9eb 100644
--- a/sshfs.c
+++ b/sshfs.c
@@ -2073,11 +2073,16 @@ static int sftp_readdir_async(struct buffer *handle, void *buf, off_t offset,
 			outstanding--;
 
 			if (done) {
+				/* We need to cache want_reply, since processing
+				   thread may free req right after unlock() if
+				   want_reply == 0 */
+				int want_reply;
 				pthread_mutex_lock(&sshfs.lock);
 				if (sshfs_req_pending(req))
 					req->want_reply = 0;
+				want_reply = req->want_reply;
 				pthread_mutex_unlock(&sshfs.lock);
-				if (!req->want_reply)
+				if (!want_reply)
 					continue;
 			}
 
-- 
cgit v1.2.3