1 From stable-bounces@linux.kernel.org Mon Feb 5 12:34:58 2007
2 From: Trond Myklebust <Trond.Myklebust@netapp.com>
3 Date: Mon, 05 Feb 2007 12:33:23 -0800
4 Subject: NLM: Fix double free in __nlm_async_call
6 Cc: neilb@suse.de, kas@fi.muni.cz, akpm@linux-foundation.org, Trond.Myklebust@netapp.com
7 Message-ID: <200702052033.l15KXNCl030349@shell0.pdx.osdl.net>
10 From: Trond Myklebust <Trond.Myklebust@netapp.com>
12 rpc_call_async() will always call rpc_release_calldata(), so it is an
13 error for __nlm_async_call() to do so as well.
15 Addresses http://bugzilla.kernel.org/show_bug.cgi?id=7923
17 Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
18 Cc: Jan "Yenya" Kasprzak <kas@fi.muni.cz>
19 Cc: Neil Brown <neilb@suse.de>
20 Signed-off-by: Andrew Morton <akpm@osdl.org>
21 Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
24 fs/lockd/clntproc.c | 9 +++------
25 fs/lockd/svclock.c | 4 +---
26 2 files changed, 4 insertions(+), 9 deletions(-)
28 --- linux-2.6.20.1.orig/fs/lockd/clntproc.c
29 +++ linux-2.6.20.1/fs/lockd/clntproc.c
30 @@ -361,7 +361,6 @@ static int __nlm_async_call(struct nlm_r
32 struct nlm_host *host = req->a_host;
33 struct rpc_clnt *clnt;
34 - int status = -ENOLCK;
36 dprintk("lockd: call procedure %d on %s (async)\n",
37 (int)proc, host->h_name);
38 @@ -373,12 +372,10 @@ static int __nlm_async_call(struct nlm_r
39 msg->rpc_proc = &clnt->cl_procinfo[proc];
41 /* bootstrap and kick off the async RPC call */
42 - status = rpc_call_async(clnt, msg, RPC_TASK_ASYNC, tk_ops, req);
45 + return rpc_call_async(clnt, msg, RPC_TASK_ASYNC, tk_ops, req);
47 - nlm_release_call(req);
49 + tk_ops->rpc_release(req);
53 int nlm_async_call(struct nlm_rqst *req, u32 proc, const struct rpc_call_ops *tk_ops)
54 --- linux-2.6.20.1.orig/fs/lockd/svclock.c
55 +++ linux-2.6.20.1/fs/lockd/svclock.c
56 @@ -593,9 +593,7 @@ callback:
59 kref_get(&block->b_count);
60 - if (nlm_async_call(block->b_call, NLMPROC_GRANTED_MSG,
61 - &nlmsvc_grant_ops) < 0)
62 - nlmsvc_release_block(block);
63 + nlm_async_call(block->b_call, NLMPROC_GRANTED_MSG, &nlmsvc_grant_ops);