aboutsummaryrefslogtreecommitdiffstats
path: root/fs/nfs
diff options
context:
space:
mode:
authorTrond Myklebust <Trond.Myklebust@netapp.com>2010-09-21 16:52:40 -0400
committerTrond Myklebust <Trond.Myklebust@netapp.com>2010-09-21 16:52:40 -0400
commitf7732d6573c4f29fc1ca5d384bbf82ddfa115030 (patch)
treee0f94b8406908e4e3081afa436a2aa8eed06773d /fs/nfs
parentd3d4152a5d59af9e13a73efa9e9c24383fbe307f (diff)
NFS: Fix a use-after-free case in nfs_async_rename()
The call to nfs_async_rename_release() after rpc_run_task() is incorrect. The rpc_run_task() is always guaranteed to call the ->rpc_release() method. Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Diffstat (limited to 'fs/nfs')
-rw-r--r--fs/nfs/unlink.c9
1 files changed, 2 insertions, 7 deletions
diff --git a/fs/nfs/unlink.c b/fs/nfs/unlink.c
index 698b3e6367ff..47530aacebfd 100644
--- a/fs/nfs/unlink.c
+++ b/fs/nfs/unlink.c
@@ -426,7 +426,6 @@ nfs_async_rename(struct inode *old_dir, struct inode *new_dir,
426 .rpc_client = NFS_CLIENT(old_dir), 426 .rpc_client = NFS_CLIENT(old_dir),
427 .flags = RPC_TASK_ASYNC, 427 .flags = RPC_TASK_ASYNC,
428 }; 428 };
429 struct rpc_task *task;
430 429
431 data = kmalloc(sizeof(*data), GFP_KERNEL); 430 data = kmalloc(sizeof(*data), GFP_KERNEL);
432 if (data == NULL) 431 if (data == NULL)
@@ -435,7 +434,7 @@ nfs_async_rename(struct inode *old_dir, struct inode *new_dir,
435 434
436 data->cred = rpc_lookup_cred(); 435 data->cred = rpc_lookup_cred();
437 if (IS_ERR(data->cred)) { 436 if (IS_ERR(data->cred)) {
438 task = (struct rpc_task *)data->cred; 437 struct rpc_task *task = ERR_CAST(data->cred);
439 kfree(data); 438 kfree(data);
440 return task; 439 return task;
441 } 440 }
@@ -468,11 +467,7 @@ nfs_async_rename(struct inode *old_dir, struct inode *new_dir,
468 467
469 NFS_PROTO(data->old_dir)->rename_setup(&msg, old_dir); 468 NFS_PROTO(data->old_dir)->rename_setup(&msg, old_dir);
470 469
471 task = rpc_run_task(&task_setup_data); 470 return rpc_run_task(&task_setup_data);
472 if (IS_ERR(task))
473 nfs_async_rename_release(data);
474
475 return task;
476} 471}
477 472
478/** 473/**