releases/2.6.20.2/nlm-fix-double-free-in-__nlm_async_call.patch

   1 From stable-bounces@linux.kernel.org Mon Feb  5 12:34:58 2007
   2 From: Trond Myklebust <Trond.Myklebust@netapp.com>
   3 Date: Mon, 05 Feb 2007 12:33:23 -0800
   4 Subject: NLM: Fix double free in __nlm_async_call
   5 To: stable@kernel.org
   6 Cc: neilb@suse.de, kas@fi.muni.cz, akpm@linux-foundation.org, Trond.Myklebust@netapp.com
   7 Message-ID: <200702052033.l15KXNCl030349@shell0.pdx.osdl.net>
   8
   9
  10 From: Trond Myklebust <Trond.Myklebust@netapp.com>
  11
  12 rpc_call_async() will always call rpc_release_calldata(), so it is an
  13 error for __nlm_async_call() to do so as well.
  14
  15 Addresses http://bugzilla.kernel.org/show_bug.cgi?id=7923
  16
  17 Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
  18 Cc: Jan "Yenya" Kasprzak <kas@fi.muni.cz>
  19 Cc: Neil Brown <neilb@suse.de>
  20 Signed-off-by: Andrew Morton <akpm@osdl.org>
  21 Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  22
  23 ---
  24  fs/lockd/clntproc.c |    9 +++------
  25  fs/lockd/svclock.c  |    4 +---
  26  2 files changed, 4 insertions(+), 9 deletions(-)
  27
  28 --- linux-2.6.20.1.orig/fs/lockd/clntproc.c
  29 +++ linux-2.6.20.1/fs/lockd/clntproc.c
  30 @@ -361,7 +361,6 @@ static int __nlm_async_call(struct nlm_r
  31  {
  32         struct nlm_host *host = req->a_host;
  33         struct rpc_clnt *clnt;
  34 -       int status = -ENOLCK;
  35
  36         dprintk("lockd: call procedure %d on %s (async)\n",
  37                         (int)proc, host->h_name);
  38 @@ -373,12 +372,10 @@ static int __nlm_async_call(struct nlm_r
  39         msg->rpc_proc = &clnt->cl_procinfo[proc];
  40
  41          /* bootstrap and kick off the async RPC call */
  42 -        status = rpc_call_async(clnt, msg, RPC_TASK_ASYNC, tk_ops, req);
  43 -       if (status == 0)
  44 -               return 0;
  45 +        return rpc_call_async(clnt, msg, RPC_TASK_ASYNC, tk_ops, req);
  46  out_err:
  47 -       nlm_release_call(req);
  48 -       return status;
  49 +       tk_ops->rpc_release(req);
  50 +       return -ENOLCK;
  51  }
  52
  53  int nlm_async_call(struct nlm_rqst *req, u32 proc, const struct rpc_call_ops *tk_ops)
  54 --- linux-2.6.20.1.orig/fs/lockd/svclock.c
  55 +++ linux-2.6.20.1/fs/lockd/svclock.c
  56 @@ -593,9 +593,7 @@ callback:
  57
  58         /* Call the client */
  59         kref_get(&block->b_count);
  60 -       if (nlm_async_call(block->b_call, NLMPROC_GRANTED_MSG,
  61 -                                               &nlmsvc_grant_ops) < 0)
  62 -               nlmsvc_release_block(block);
  63 +       nlm_async_call(block->b_call, NLMPROC_GRANTED_MSG, &nlmsvc_grant_ops);
  64  }
  65
  66  /*