From: Russ Allbery <rra@debian.org>
Date: Thu, 12 Feb 2009 19:04:58 +0000 (-0800)
Subject: Apply upstream STABLE14-rx-rdwr-writeproc-race-20081228
X-Git-Tag: debian/1.4.8.dfsg1-1~23
X-Git-Url: https://git.michaelhowe.org/gitweb/?a=commitdiff_plain;h=fdfc97287afacd6af87a40e5609562fc304f7e00;p=packages%2Fo%2Fopenafs.git

Apply upstream STABLE14-rx-rdwr-writeproc-race-20081228
---

diff --git a/debian/changelog b/debian/changelog
index 87c54072e..3014bb8be 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -17,6 +17,8 @@ openafs (1.4.8.dfsg1-1) UNRELEASED; urgency=low
       (Closes: #513680)
     - STABLE14-rx-idledead-only-ignore-keepalives-20081222: rx bug fix to
       not ignore other ping packets.
+    - STABLE14-rx-rdwr-writeproc-race-20081228: fix rx race condition that
+      could result in reuse of freed memory.
   * Make dynroot the default for new installations.  It works much better
     with systems that don't bring up their network until late in the boot
     process, such as wireless laptops.  (LP: #249240, #318605)
diff --git a/src/rx/rx_rdwr.c b/src/rx/rx_rdwr.c
index 9ca232c73..c574deddd 100644
--- a/src/rx/rx_rdwr.c
+++ b/src/rx/rx_rdwr.c
@@ -15,7 +15,7 @@
 #endif
 
 RCSID
-    ("$Header: /cvs/openafs/src/rx/rx_rdwr.c,v 1.21.2.11 2008/10/02 11:55:03 jaltman Exp $");
+    ("$Header: /cvs/openafs/src/rx/rx_rdwr.c,v 1.21.2.12 2008/12/28 21:08:13 jaltman Exp $");
 
 #ifdef KERNEL
 #ifndef UKERNEL
@@ -690,6 +690,12 @@ rxi_WriteProc(register struct rx_call *call, register char *buf,
     do {
 	if (call->nFree == 0) {
 	    if (!call->error && cp) {
+                /* Clear the current packet now so that if
+                 * we are forced to wait and drop the lock 
+                 * the packet we are planning on using 
+                 * cannot be freed.
+                 */
+		call->currentPacket = (struct rx_packet *)0;
 #ifdef AFS_GLOBAL_RXLOCK_KERNEL
 		/* Wait until TQ_BUSY is reset before adding any
 		 * packets to the transmit queue
@@ -711,7 +717,7 @@ rxi_WriteProc(register struct rx_call *call, register char *buf,
 		hadd32(call->bytesSent, cp->length);
 		rxi_PrepareSendPacket(call, cp, 0);
 		queue_Append(&call->tq, cp);
-		cp = call->currentPacket = NULL;
+		cp = NULL;
 		if (!
 		    (call->
 		     flags & (RX_CALL_FAST_RECOVER |