[patch 080/101] NLM: Fix double free in __nlm_async_call

From: Greg KH
Date: Wed Mar 07 2007 - 12:28:46 EST

Next message: Greg KH: "[patch 077/101] Backport of psmouse suspend/shutdown cleanups"
Previous message: Srivatsa Vaddagiri: "Re: [PATCH 0/2] resource control file system - aka containers on top of nsproxy!"
In reply to: Greg KH: "[patch 079/101] RPM: fix double free in portmapper code"
Next in thread: Greg KH: "[patch 077/101] Backport of psmouse suspend/shutdown cleanups"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Trond Myklebust <Trond.Myklebust@xxxxxxxxxx>

rpc_call_async() will always call rpc_release_calldata(), so it is an
error for __nlm_async_call() to do so as well.

Addresses http://bugzilla.kernel.org/show_bug.cgi?id=7923

Signed-off-by: Trond Myklebust <Trond.Myklebust@xxxxxxxxxx>
Cc: Jan "Yenya" Kasprzak <kas@xxxxxxxxxx>
Cc: Neil Brown <neilb@xxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxx>

---
fs/lockd/clntproc.c | 9 +++------
fs/lockd/svclock.c | 4 +---
2 files changed, 4 insertions(+), 9 deletions(-)

--- linux-2.6.20.1.orig/fs/lockd/clntproc.c
+++ linux-2.6.20.1/fs/lockd/clntproc.c
@@ -361,7 +361,6 @@ static int __nlm_async_call(struct nlm_r
{
struct nlm_host *host = req->a_host;
struct rpc_clnt *clnt;
- int status = -ENOLCK;

dprintk("lockd: call procedure %d on %s (async)\n",
(int)proc, host->h_name);
@@ -373,12 +372,10 @@ static int __nlm_async_call(struct nlm_r
msg->rpc_proc = &clnt->cl_procinfo[proc];

/* bootstrap and kick off the async RPC call */
- status = rpc_call_async(clnt, msg, RPC_TASK_ASYNC, tk_ops, req);
- if (status == 0)
- return 0;
+ return rpc_call_async(clnt, msg, RPC_TASK_ASYNC, tk_ops, req);
out_err:
- nlm_release_call(req);
- return status;
+ tk_ops->rpc_release(req);
+ return -ENOLCK;
}

int nlm_async_call(struct nlm_rqst *req, u32 proc, const struct rpc_call_ops *tk_ops)
--- linux-2.6.20.1.orig/fs/lockd/svclock.c
+++ linux-2.6.20.1/fs/lockd/svclock.c
@@ -593,9 +593,7 @@ callback:

/* Call the client */
kref_get(&block->b_count);
- if (nlm_async_call(block->b_call, NLMPROC_GRANTED_MSG,
- &nlmsvc_grant_ops) < 0)
- nlmsvc_release_block(block);
+ nlm_async_call(block->b_call, NLMPROC_GRANTED_MSG, &nlmsvc_grant_ops);
}

/*

--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Greg KH: "[patch 077/101] Backport of psmouse suspend/shutdown cleanups"
Previous message: Srivatsa Vaddagiri: "Re: [PATCH 0/2] resource control file system - aka containers on top of nsproxy!"
In reply to: Greg KH: "[patch 079/101] RPM: fix double free in portmapper code"
Next in thread: Greg KH: "[patch 077/101] Backport of psmouse suspend/shutdown cleanups"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]