NFS: Fix a use-after-free case in nfs_async_rename()
The call to nfs_async_rename_release() after rpc_run_task() is incorrect.
The rpc_run_task() is always guaranteed to call the ->rpc_release() method.
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
diff --git a/fs/nfs/unlink.c b/fs/nfs/unlink.c
index 698b3e6..47530aa 100644
--- a/fs/nfs/unlink.c
+++ b/fs/nfs/unlink.c
@@ -426,7 +426,6 @@
.rpc_client = NFS_CLIENT(old_dir),
.flags = RPC_TASK_ASYNC,
};
- struct rpc_task *task;
data = kmalloc(sizeof(*data), GFP_KERNEL);
if (data == NULL)
@@ -435,7 +434,7 @@
data->cred = rpc_lookup_cred();
if (IS_ERR(data->cred)) {
- task = (struct rpc_task *)data->cred;
+ struct rpc_task *task = ERR_CAST(data->cred);
kfree(data);
return task;
}
@@ -468,11 +467,7 @@
NFS_PROTO(data->old_dir)->rename_setup(&msg, old_dir);
- task = rpc_run_task(&task_setup_data);
- if (IS_ERR(task))
- nfs_async_rename_release(data);
-
- return task;
+ return rpc_run_task(&task_setup_data);
}
/**