aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTrond Myklebust <Trond.Myklebust@netapp.com>2007-02-03 13:38:40 -0800
committerTrond Myklebust <Trond.Myklebust@netapp.com>2007-02-03 15:35:02 -0800
commit54cc533aaa0dc331ad126f0aacfb19572adee638 (patch)
tree45bb1bb889fc26a94931bc09319625f10cb80d39
parenta995e9eb3258df6ab2e9f958e08003978e50d568 (diff)
RPC: Fix double free in portmapper code
rpc_run_task is guaranteed to always call ->rpc_release. Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
-rw-r--r--net/sunrpc/pmap_clnt.c8
1 files changed, 5 insertions, 3 deletions
diff --git a/net/sunrpc/pmap_clnt.c b/net/sunrpc/pmap_clnt.c
index 3946ec3eb51..76e59e9b8fb 100644
--- a/net/sunrpc/pmap_clnt.c
+++ b/net/sunrpc/pmap_clnt.c
@@ -62,7 +62,10 @@ static inline void pmap_map_free(struct portmap_args *map)
static void pmap_map_release(void *data)
{
- pmap_map_free(data);
+ struct portmap_args *map = data;
+
+ xprt_put(map->pm_xprt);
+ pmap_map_free(map);
}
static const struct rpc_call_ops pmap_getport_ops = {
@@ -133,7 +136,7 @@ void rpc_getport(struct rpc_task *task)
status = -EIO;
child = rpc_run_task(pmap_clnt, RPC_TASK_ASYNC, &pmap_getport_ops, map);
if (IS_ERR(child))
- goto bailout;
+ goto bailout_nofree;
rpc_put_task(child);
task->tk_xprt->stat.bind_count++;
@@ -222,7 +225,6 @@ static void pmap_getport_done(struct rpc_task *child, void *data)
child->tk_pid, status, map->pm_port);
pmap_wake_portmap_waiters(xprt, status);
- xprt_put(xprt);
}
/**