NFS: Fix a use-after-free case in nfs_async_rename()

The call to nfs_async_rename_release() after rpc_run_task() is incorrect. The rpc_run_task() is always guaranteed to call the ->rpc_release() method. Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
git-mirror · Sep 21, 2010 · f7732d6 · f7732d6
1 parent d3d4152
commit f7732d6
Showing 1 changed file with 2 additions and 7 deletions.
diff --git a/fs/nfs/unlink.c b/fs/nfs/unlink.c
@@ -426,7 +426,6 @@ nfs_async_rename(struct inode *old_dir, struct inode *new_dir,
 		.rpc_client = NFS_CLIENT(old_dir),
 		.flags = RPC_TASK_ASYNC,
 	};
-	struct rpc_task *task;
 
 	data = kmalloc(sizeof(*data), GFP_KERNEL);
 	if (data == NULL)
@@ -435,7 +434,7 @@ nfs_async_rename(struct inode *old_dir, struct inode *new_dir,
 
 	data->cred = rpc_lookup_cred();
 	if (IS_ERR(data->cred)) {
-		task = (struct rpc_task *)data->cred;
+		struct rpc_task *task = ERR_CAST(data->cred);
 		kfree(data);
 		return task;
 	}
@@ -468,11 +467,7 @@ nfs_async_rename(struct inode *old_dir, struct inode *new_dir,
 
 	NFS_PROTO(data->old_dir)->rename_setup(&msg, old_dir);
 
-	task = rpc_run_task(&task_setup_data);
-	if (IS_ERR(task))
-		nfs_async_rename_release(data);
-
-	return task;
+	return rpc_run_task(&task_setup_data);
 }
 
 /**