ceph: fix possible double-free of mds request reference

Clear pointer to mds request after dropping the reference to
ensure we don't drop it again, as there is at least one error
path through this function that does not reset fi->last_readdir
to a new value.

Signed-off-by: Sage Weil <sage@newdream.net>

diff --git a/fs/ceph/dir.c b/fs/ceph/dir.c
index 5107384ee02927351889ace8f32c5535f718dda8..8a9116e15b701a809d6b6d78636c97d56bc81c97 100644 (file)
--- a/fs/ceph/dir.c
+++ b/fs/ceph/dir.c
@@ -288,8 +288,10 @@ more:
                        CEPH_MDS_OP_LSSNAP : CEPH_MDS_OP_READDIR;
 
                /* discard old result, if any */
-               if (fi->last_readdir)
+               if (fi->last_readdir) {
                        ceph_mdsc_put_request(fi->last_readdir);
+                       fi->last_readdir = NULL;
+               }
 
                /* requery frag tree, as the frag topology may have changed */
                frag = ceph_choose_frag(ceph_inode(inode), frag, NULL, NULL);