coda: do not grab an uninitialized fd when the open upcall returns an error
Jan Harkes [Thu, 19 Jul 2007 08:48:41 +0000 (01:48 -0700)]
When open fails the fd in the response is uninitialized and we ended up taking
a reference on the file struct and never released it.

Signed-off-by: Jan Harkes <jaharkes@cs.cmu.edu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

fs/coda/file.c
fs/coda/psdev.c
fs/coda/upcall.c

index 99dbe86..e7d6227 100644 (file)
@@ -143,8 +143,11 @@ int coda_open(struct inode *coda_inode, struct file *coda_file)
        lock_kernel();
 
        error = venus_open(coda_inode->i_sb, coda_i2f(coda_inode), coda_flags,
-                          &host_file); 
-       if (error || !host_file) {
+                          &host_file);
+       if (!host_file)
+               error = -EIO;
+
+       if (error) {
                kfree(cfi);
                unlock_kernel();
                return error;
index 803aacf..09382d4 100644 (file)
@@ -195,7 +195,8 @@ static ssize_t coda_psdev_write(struct file *file, const char __user *buf,
        if (req->uc_opcode == CODA_OPEN_BY_FD) {
                struct coda_open_by_fd_out *outp =
                        (struct coda_open_by_fd_out *)req->uc_data;
-               outp->fh = fget(outp->fd);
+               if (!outp->oh.result)
+                       outp->fh = fget(outp->fd);
        }
 
         wake_up(&req->uc_sleep);
index 5faacdb..1651b91 100644 (file)
@@ -251,12 +251,12 @@ int venus_open(struct super_block *sb, struct CodaFid *fid,
        insize = SIZE(open_by_fd);
        UPARG(CODA_OPEN_BY_FD);
 
-        inp->coda_open.VFid = *fid;
-        inp->coda_open.flags = flags;
+       inp->coda_open_by_fd.VFid = *fid;
+       inp->coda_open_by_fd.flags = flags;
 
-        error = coda_upcall(coda_sbp(sb), insize, &outsize, inp);
-
-       *fh = outp->coda_open_by_fd.fh;
+       error = coda_upcall(coda_sbp(sb), insize, &outsize, inp);
+       if (!error)
+               *fh = outp->coda_open_by_fd.fh;
 
        CODA_FREE(inp, insize);
        return error;