coda: do not grab an uninitialized fd when the open upcall returns an…

… error When open fails the fd in the response is uninitialized and we ended up taking a reference on the file struct and never released it. Signed-off-by: Jan Harkes <jaharkes@cs.cmu.edu> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
git-mirror · Jul 19, 2007 · 38c2e43 · 38c2e43
1 parent 1899119
commit 38c2e43
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 8 deletions.
diff --git a/fs/coda/file.c b/fs/coda/file.c
@@ -143,8 +143,11 @@ int coda_open(struct inode *coda_inode, struct file *coda_file)
 	lock_kernel();
 
 	error = venus_open(coda_inode->i_sb, coda_i2f(coda_inode), coda_flags,
-			   &host_file); 
-	if (error || !host_file) {
+			   &host_file);
+	if (!host_file)
+		error = -EIO;
+
+	if (error) {
 		kfree(cfi);
 		unlock_kernel();
 		return error;

diff --git a/fs/coda/psdev.c b/fs/coda/psdev.c
@@ -195,7 +195,8 @@ static ssize_t coda_psdev_write(struct file *file, const char __user *buf,
 	if (req->uc_opcode == CODA_OPEN_BY_FD) {
 		struct coda_open_by_fd_out *outp =
 			(struct coda_open_by_fd_out *)req->uc_data;
-		outp->fh = fget(outp->fd);
+		if (!outp->oh.result)
+			outp->fh = fget(outp->fd);
 	}
 
         wake_up(&req->uc_sleep);

diff --git a/fs/coda/upcall.c b/fs/coda/upcall.c
@@ -251,12 +251,12 @@ int venus_open(struct super_block *sb, struct CodaFid *fid,
 	insize = SIZE(open_by_fd);
 	UPARG(CODA_OPEN_BY_FD);
 
-        inp->coda_open.VFid = *fid;
-        inp->coda_open.flags = flags;
+	inp->coda_open_by_fd.VFid = *fid;
+	inp->coda_open_by_fd.flags = flags;
 
-        error = coda_upcall(coda_sbp(sb), insize, &outsize, inp);
-
-	*fh = outp->coda_open_by_fd.fh;
+	error = coda_upcall(coda_sbp(sb), insize, &outsize, inp);
+	if (!error)
+		*fh = outp->coda_open_by_fd.fh;
 
 	CODA_FREE(inp, insize);
 	return error;