Commit a995e9eb3258df6ab2e9f958e08003978e50d568
1 parent
ce35a81a71
Exists in
master
and in
7 other branches
NLM: Fix double free in __nlm_async_call
rpc_call_async() will always call rpc_release_calldata(), so it is an error for __nlm_async_call() to do so as well. Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Showing 2 changed files with 4 additions and 9 deletions Side-by-side Diff
fs/lockd/clntproc.c
| ... | ... | @@ -361,7 +361,6 @@ |
| 361 | 361 | { |
| 362 | 362 | struct nlm_host *host = req->a_host; |
| 363 | 363 | struct rpc_clnt *clnt; |
| 364 | - int status = -ENOLCK; | |
| 365 | 364 | |
| 366 | 365 | dprintk("lockd: call procedure %d on %s (async)\n", |
| 367 | 366 | (int)proc, host->h_name); |
| 368 | 367 | |
| ... | ... | @@ -373,12 +372,10 @@ |
| 373 | 372 | msg->rpc_proc = &clnt->cl_procinfo[proc]; |
| 374 | 373 | |
| 375 | 374 | /* bootstrap and kick off the async RPC call */ |
| 376 | - status = rpc_call_async(clnt, msg, RPC_TASK_ASYNC, tk_ops, req); | |
| 377 | - if (status == 0) | |
| 378 | - return 0; | |
| 375 | + return rpc_call_async(clnt, msg, RPC_TASK_ASYNC, tk_ops, req); | |
| 379 | 376 | out_err: |
| 380 | - nlm_release_call(req); | |
| 381 | - return status; | |
| 377 | + tk_ops->rpc_release(req); | |
| 378 | + return -ENOLCK; | |
| 382 | 379 | } |
| 383 | 380 | |
| 384 | 381 | int nlm_async_call(struct nlm_rqst *req, u32 proc, const struct rpc_call_ops *tk_ops) |
fs/lockd/svclock.c
| ... | ... | @@ -593,9 +593,7 @@ |
| 593 | 593 | |
| 594 | 594 | /* Call the client */ |
| 595 | 595 | kref_get(&block->b_count); |
| 596 | - if (nlm_async_call(block->b_call, NLMPROC_GRANTED_MSG, | |
| 597 | - &nlmsvc_grant_ops) < 0) | |
| 598 | - nlmsvc_release_block(block); | |
| 596 | + nlm_async_call(block->b_call, NLMPROC_GRANTED_MSG, &nlmsvc_grant_ops); | |
| 599 | 597 | } |
| 600 | 598 | |
| 601 | 599 | /* |