SUNRPC: Fix a double-free in rpcbind
authorTrond Myklebust <Trond.Myklebust@netapp.com>
Mon, 7 Jul 2008 16:18:52 +0000 (12:18 -0400)
committerTrond Myklebust <Trond.Myklebust@netapp.com>
Tue, 8 Jul 2008 19:23:00 +0000 (15:23 -0400)
It is wrong to be freeing up the rpcbind arguments if the call to
rpcb_call_async() fails, since they should already have been freed up by
rpcb_map_release().

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
net/sunrpc/rpcb_clnt.c

index 0517967a68bf85571919923e9935658d4c63e6f3..21c698d7b77460105a0522d3fa901ffac36b5ca3 100644 (file)
@@ -365,18 +365,16 @@ void rpcb_getport_async(struct rpc_task *task)
        rpc_release_client(rpcb_clnt);
        if (IS_ERR(child)) {
                status = -EIO;
+               /* rpcb_map_release() has freed the arguments */
                dprintk("RPC: %5u %s: rpc_run_task failed\n",
                        task->tk_pid, __func__);
-               goto bailout;
+               goto bailout_nofree;
        }
        rpc_put_task(child);
 
        task->tk_xprt->stat.bind_count++;
        return;
 
-bailout:
-       kfree(map);
-       xprt_put(xprt);
 bailout_nofree:
        rpcb_wake_rpcbind_waiters(xprt, status);
 bailout_nowake: