From d7f794743f7ab3ca09258196212861751acf8a37 Mon Sep 17 00:00:00 2001
From: Craig Tiller <ctiller@google.com>
Date: Mon, 10 Jul 2023 11:28:24 -0700
Subject: [PATCH] [promises] Fix use-after-free noticed internally (#33644)

CQ can access the call up until it's retrieved by the application, and
so needs to hold a ref.
---
 src/core/lib/surface/call.cc | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/core/lib/surface/call.cc b/src/core/lib/surface/call.cc
index c7420ca5b54..cef87bec5ce 100644
--- a/src/core/lib/surface/call.cc
+++ b/src/core/lib/surface/call.cc
@@ -2479,9 +2479,13 @@ void PromiseBasedCall::FinishOpOnCompletion(Completion* completion,
     ExecCtx::Run(DEBUG_LOCATION, static_cast<grpc_closure*>(pending.tag),
                  error);
   } else {
+    InternalRef("cq_end_op");
     grpc_cq_end_op(
-        cq(), pending.tag, error, [](void*, grpc_cq_completion*) {}, nullptr,
-        &completion_info_[i].completion);
+        cq(), pending.tag, error,
+        [](void* p, grpc_cq_completion*) {
+          static_cast<PromiseBasedCall*>(p)->InternalUnref("cq_end_op");
+        },
+        this, &completion_info_[i].completion);
   }
 }