summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTrond Myklebust <Trond.Myklebust@netapp.com>2007-05-30 18:58:00 +0200
committerTrond Myklebust <Trond.Myklebust@netapp.com>2007-05-30 22:26:01 +0200
commitb4946ffb1860597b187d78d61ac6504177eb0ff8 (patch)
tree56e5df1992aa478b806e5a768eda668543a5bb89
parentfix possible null ptr deref in kallsyms_lookup (diff)
downloadlinux-b4946ffb1860597b187d78d61ac6504177eb0ff8.tar.xz
linux-b4946ffb1860597b187d78d61ac6504177eb0ff8.zip
NFS: Fix a refcount leakage in O_DIRECT
The current code is leaking a reference to dreq->kref when the calls to nfs_direct_read_schedule() and nfs_direct_write_schedule() return an error. This patch moves the call to kref_put() from nfs_direct_wait() back into nfs_direct_read() and nfs_direct_write() (which are the functions that actually took the reference in the first place) fixing the leak. Thanks to Denis V. Lunev for spotting the bug and proposing the original fix. Acked-by: Denis V. Lunev <dlunev@gmail.com> Acked-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
-rw-r--r--fs/nfs/direct.c12
1 files changed, 9 insertions, 3 deletions
diff --git a/fs/nfs/direct.c b/fs/nfs/direct.c
index 0c542ec92d5b..00eee87510fe 100644
--- a/fs/nfs/direct.c
+++ b/fs/nfs/direct.c
@@ -168,7 +168,7 @@ static inline struct nfs_direct_req *nfs_direct_req_alloc(void)
return dreq;
}
-static void nfs_direct_req_release(struct kref *kref)
+static void nfs_direct_req_free(struct kref *kref)
{
struct nfs_direct_req *dreq = container_of(kref, struct nfs_direct_req, kref);
@@ -177,6 +177,11 @@ static void nfs_direct_req_release(struct kref *kref)
kmem_cache_free(nfs_direct_cachep, dreq);
}
+static void nfs_direct_req_release(struct nfs_direct_req *dreq)
+{
+ kref_put(&dreq->kref, nfs_direct_req_free);
+}
+
/*
* Collects and returns the final error value/byte-count.
*/
@@ -196,7 +201,6 @@ static ssize_t nfs_direct_wait(struct nfs_direct_req *dreq)
result = dreq->count;
out:
- kref_put(&dreq->kref, nfs_direct_req_release);
return (ssize_t) result;
}
@@ -214,7 +218,7 @@ static void nfs_direct_complete(struct nfs_direct_req *dreq)
}
complete_all(&dreq->completion);
- kref_put(&dreq->kref, nfs_direct_req_release);
+ nfs_direct_req_release(dreq);
}
/*
@@ -369,6 +373,7 @@ static ssize_t nfs_direct_read(struct kiocb *iocb, unsigned long user_addr, size
if (!result)
result = nfs_direct_wait(dreq);
rpc_clnt_sigunmask(clnt, &oldset);
+ nfs_direct_req_release(dreq);
return result;
}
@@ -716,6 +721,7 @@ static ssize_t nfs_direct_write(struct kiocb *iocb, unsigned long user_addr, siz
if (!result)
result = nfs_direct_wait(dreq);
rpc_clnt_sigunmask(clnt, &oldset);
+ nfs_direct_req_release(dreq);
return result;
}