From cee359eee8e5b4268b54e94cfd8ea5cb8e400484 Mon Sep 17 00:00:00 2001
From: Derrick Brashear <shadow@dementia.org>
Date: Tue, 20 May 2008 20:54:04 +0000
Subject: [PATCH] STABLE14-aix-unpin-after-free-20080520

LICENSE IPL10
FIXES 99456

in order that cleanup be safe we need to do it this way


(cherry picked from commit 3edb97360b7d971750e54471037584d7a9a74993)
---
 src/afs/afs_call.c      | 8 ++++----
 src/afs/afs_osi_alloc.c | 4 ++--
 src/afs/afs_vcache.c    | 6 +++---
 3 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/src/afs/afs_call.c b/src/afs/afs_call.c
index 7be11b987..12be70e95 100644
--- a/src/afs/afs_call.c
+++ b/src/afs/afs_call.c
@@ -2901,10 +2901,10 @@ afs_icl_LogFreeUse(register struct afs_icl_log *logp)
     ObtainWriteLock(&logp->lock, 189);
     if (--logp->setCount == 0) {
 	/* no more users -- free it (but keep log structure around) */
+	afs_osi_Free(logp->datap, sizeof(afs_int32) * logp->logSize);
 #ifdef	KERNEL_HAVE_PIN
 	unpin((char *)logp->datap, sizeof(afs_int32) * logp->logSize);
 #endif
-	afs_osi_Free(logp->datap, sizeof(afs_int32) * logp->logSize);
 	logp->firstUsed = logp->firstFree = 0;
 	logp->logElements = 0;
 	logp->datap = NULL;
@@ -2927,10 +2927,10 @@ afs_icl_LogSetSize(register struct afs_icl_log *logp, afs_int32 logSize)
 	logp->logElements = 0;
 
 	/* free and allocate a new one */
+	afs_osi_Free(logp->datap, sizeof(afs_int32) * logp->logSize);
 #ifdef	KERNEL_HAVE_PIN
 	unpin((char *)logp->datap, sizeof(afs_int32) * logp->logSize);
 #endif
-	afs_osi_Free(logp->datap, sizeof(afs_int32) * logp->logSize);
 	logp->datap =
 	    (afs_int32 *) afs_osi_Alloc(sizeof(afs_int32) * logSize);
 #ifdef	KERNEL_HAVE_PIN
@@ -2954,10 +2954,10 @@ afs_icl_ZapLog(register struct afs_icl_log *logp)
 	    /* found the dude we want to remove */
 	    *lpp = logp->nextp;
 	    osi_FreeSmallSpace(logp->name);
+	    afs_osi_Free(logp->datap, sizeof(afs_int32) * logp->logSize);
 #ifdef KERNEL_HAVE_PIN
 	    unpin((char *)logp->datap, sizeof(afs_int32) * logp->logSize);
 #endif
-	    afs_osi_Free(logp->datap, sizeof(afs_int32) * logp->logSize);
 	    osi_FreeSmallSpace(logp);
 	    break;		/* won't find it twice */
 	}
@@ -3215,10 +3215,10 @@ afs_icl_ZapSet(register struct afs_icl_set *setp)
 	    /* found the dude we want to remove */
 	    *lpp = setp->nextp;
 	    osi_FreeSmallSpace(setp->name);
+	    afs_osi_Free(setp->eventFlags, ICL_DEFAULTEVENTS);
 #ifdef	KERNEL_HAVE_PIN
 	    unpin((char *)setp->eventFlags, ICL_DEFAULTEVENTS);
 #endif
-	    afs_osi_Free(setp->eventFlags, ICL_DEFAULTEVENTS);
 	    for (i = 0; i < ICL_LOGSPERSET; i++) {
 		if ((tlp = setp->logs[i]))
 		    afs_icl_LogReleNL(tlp);
diff --git a/src/afs/afs_osi_alloc.c b/src/afs/afs_osi_alloc.c
index ac591e686..82843d0d8 100644
--- a/src/afs/afs_osi_alloc.c
+++ b/src/afs/afs_osi_alloc.c
@@ -146,18 +146,18 @@ shutdown_osinet(void)
 
 	while ((tp = freePacketList)) {
 	    freePacketList = tp->next;
+	    afs_osi_Free(tp, AFS_LRALLOCSIZ);
 #ifdef  KERNEL_HAVE_PIN
 	    unpin(tp, AFS_LRALLOCSIZ);
 #endif
-	    afs_osi_Free(tp, AFS_LRALLOCSIZ);
 	}
 
 	while ((tp = freeSmallList)) {
 	    freeSmallList = tp->next;
+	    afs_osi_Free(tp, AFS_SMALLOCSIZ);
 #ifdef  KERNEL_HAVE_PIN
 	    unpin(tp, AFS_SMALLOCSIZ);
 #endif
-	    afs_osi_Free(tp, AFS_SMALLOCSIZ);
 	}
 	LOCK_INIT(&osi_fsplock, "osi_fsplock");
 	LOCK_INIT(&osi_flplock, "osi_flplock");
diff --git a/src/afs/afs_vcache.c b/src/afs/afs_vcache.c
index 92efef11e..3837e680c 100644
--- a/src/afs/afs_vcache.c
+++ b/src/afs/afs_vcache.c
@@ -3072,12 +3072,12 @@ shutdown_vcache(void)
     }
     afs_cbrSpace = 0;
 
-#ifdef  KERNEL_HAVE_PIN
-    unpin(Initial_freeVCList, afs_cacheStats * sizeof(struct vcache));
-#endif
 #if !defined(AFS_OSF_ENV) && !defined(AFS_LINUX22_ENV)
     afs_osi_Free(Initial_freeVCList, afs_cacheStats * sizeof(struct vcache));
 #endif
+#ifdef  KERNEL_HAVE_PIN
+    unpin(Initial_freeVCList, afs_cacheStats * sizeof(struct vcache));
+#endif
 
 #if !defined(AFS_OSF_ENV) && !defined(AFS_LINUX22_ENV)
     freeVCList = Initial_freeVCList = 0;
-- 
2.39.5