diff options
| author | Jan Harkes <jaharkes@cs.cmu.edu> | 2007-07-19 04:48:41 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@woody.linux-foundation.org> | 2007-07-19 13:04:48 -0400 |
| commit | 38c2e4370da495813ca93d7cad31ed5090e8c310 (patch) | |
| tree | bf48c4a17f3f2f7cf17a20e37f55f898a332a2c7 | |
| parent | 18991197b4b588255ccabf472ebc84db7b66a19c (diff) | |
coda: do not grab an uninitialized fd when the open upcall returns an error
When open fails the fd in the response is uninitialized and we ended up taking
a reference on the file struct and never released it.
Signed-off-by: Jan Harkes <jaharkes@cs.cmu.edu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
| -rw-r--r-- | fs/coda/file.c | 7 | ||||
| -rw-r--r-- | fs/coda/psdev.c | 3 | ||||
| -rw-r--r-- | fs/coda/upcall.c | 10 |
3 files changed, 12 insertions, 8 deletions
diff --git a/fs/coda/file.c b/fs/coda/file.c index 99dbe866816d..e7d622709c90 100644 --- a/fs/coda/file.c +++ b/fs/coda/file.c | |||
| @@ -143,8 +143,11 @@ int coda_open(struct inode *coda_inode, struct file *coda_file) | |||
| 143 | lock_kernel(); | 143 | lock_kernel(); |
| 144 | 144 | ||
| 145 | error = venus_open(coda_inode->i_sb, coda_i2f(coda_inode), coda_flags, | 145 | error = venus_open(coda_inode->i_sb, coda_i2f(coda_inode), coda_flags, |
| 146 | &host_file); | 146 | &host_file); |
| 147 | if (error || !host_file) { | 147 | if (!host_file) |
| 148 | error = -EIO; | ||
| 149 | |||
| 150 | if (error) { | ||
| 148 | kfree(cfi); | 151 | kfree(cfi); |
| 149 | unlock_kernel(); | 152 | unlock_kernel(); |
| 150 | return error; | 153 | return error; |
diff --git a/fs/coda/psdev.c b/fs/coda/psdev.c index 803aacf0d49c..09382d47a4e1 100644 --- a/fs/coda/psdev.c +++ b/fs/coda/psdev.c | |||
| @@ -195,7 +195,8 @@ static ssize_t coda_psdev_write(struct file *file, const char __user *buf, | |||
| 195 | if (req->uc_opcode == CODA_OPEN_BY_FD) { | 195 | if (req->uc_opcode == CODA_OPEN_BY_FD) { |
| 196 | struct coda_open_by_fd_out *outp = | 196 | struct coda_open_by_fd_out *outp = |
| 197 | (struct coda_open_by_fd_out *)req->uc_data; | 197 | (struct coda_open_by_fd_out *)req->uc_data; |
| 198 | outp->fh = fget(outp->fd); | 198 | if (!outp->oh.result) |
| 199 | outp->fh = fget(outp->fd); | ||
| 199 | } | 200 | } |
| 200 | 201 | ||
| 201 | wake_up(&req->uc_sleep); | 202 | wake_up(&req->uc_sleep); |
diff --git a/fs/coda/upcall.c b/fs/coda/upcall.c index 5faacdb1a479..1651b918219a 100644 --- a/fs/coda/upcall.c +++ b/fs/coda/upcall.c | |||
| @@ -251,12 +251,12 @@ int venus_open(struct super_block *sb, struct CodaFid *fid, | |||
| 251 | insize = SIZE(open_by_fd); | 251 | insize = SIZE(open_by_fd); |
| 252 | UPARG(CODA_OPEN_BY_FD); | 252 | UPARG(CODA_OPEN_BY_FD); |
| 253 | 253 | ||
| 254 | inp->coda_open.VFid = *fid; | 254 | inp->coda_open_by_fd.VFid = *fid; |
| 255 | inp->coda_open.flags = flags; | 255 | inp->coda_open_by_fd.flags = flags; |
| 256 | 256 | ||
| 257 | error = coda_upcall(coda_sbp(sb), insize, &outsize, inp); | 257 | error = coda_upcall(coda_sbp(sb), insize, &outsize, inp); |
| 258 | 258 | if (!error) | |
| 259 | *fh = outp->coda_open_by_fd.fh; | 259 | *fh = outp->coda_open_by_fd.fh; |
| 260 | 260 | ||
| 261 | CODA_FREE(inp, insize); | 261 | CODA_FREE(inp, insize); |
| 262 | return error; | 262 | return error; |