From 1f4c8dc970960f60fd250eb802216cc6f585751d Mon Sep 17 00:00:00 2001
From: Sage Weil <sage@newdream.net>
Date: Tue, 15 Apr 2008 15:04:48 -0700
Subject: [PATCH] kclient: fix misplaced put_session slab corruption bug

---
 src/kernel/mds_client.c | 10 +++++-----
 src/kernel/osd_client.c |  9 ++++++---
 2 files changed, 11 insertions(+), 8 deletions(-)

diff --git a/src/kernel/mds_client.c b/src/kernel/mds_client.c
index ecdacd141cf1e..44d334f313678 100644
--- a/src/kernel/mds_client.c
+++ b/src/kernel/mds_client.c
@@ -332,9 +332,9 @@ __register_session(struct ceph_mds_client *mdsc, int mds)
 	}
 }
 
-static void unregister_session(struct ceph_mds_client *mdsc, int mds)
+static void __unregister_session(struct ceph_mds_client *mdsc, int mds)
 {
-	dout(10, "unregister_session mds%d %p\n", mds, mdsc->sessions[mds]);
+	dout(10, "__unregister_session mds%d %p\n", mds, mdsc->sessions[mds]);
 	put_session(mdsc->sessions[mds]);
 	mdsc->sessions[mds] = 0;
 }
@@ -668,7 +668,7 @@ void ceph_mdsc_handle_session(struct ceph_mds_client *mdsc,
 		if (session->s_cap_seq == seq) {
 			dout(1, "session close from mds%d\n", mds);
 			complete(&session->s_completion); /* for good measure */
-			unregister_session(mdsc, mds);
+			__unregister_session(mdsc, mds);
 		} else {
 			dout(1, "ignoring session close from mds%d, "
 			     "seq %llu < my seq %llu\n",
@@ -697,10 +697,10 @@ void ceph_mdsc_handle_session(struct ceph_mds_client *mdsc,
 		dout(0, "bad session op %d\n", op);
 		BUG_ON(1);
 	}
-	put_session(session);
 	spin_unlock(&mdsc->lock);
 
 	up(&session->s_mutex);
+	put_session(session);
 	return;
 
 bad:
@@ -1225,7 +1225,7 @@ void check_new_map(struct ceph_mds_client *mdsc,
 		switch (session->s_state) {
 		case CEPH_MDS_SESSION_OPENING:
 			complete(&session->s_completion);
-			unregister_session(mdsc, i);
+			__unregister_session(mdsc, i);
 			break;
 		case CEPH_MDS_SESSION_OPEN:
 			kick_requests(mdsc, i);
diff --git a/src/kernel/osd_client.c b/src/kernel/osd_client.c
index 3c6dd81efdb77..27872a35aa512 100644
--- a/src/kernel/osd_client.c
+++ b/src/kernel/osd_client.c
@@ -237,8 +237,10 @@ static void send_request(struct ceph_osd_client *osdc,
 			break;
 	}
 	if (i < nr_osds) {
-		dout(10, "send_request %p tid %llu to osd%d flags %d\n", req, req->r_tid, osds[i], req->r_flags);
-		req->r_request->hdr.dst.name.type = cpu_to_le32(CEPH_ENTITY_TYPE_OSD);
+		dout(10, "send_request %p tid %llu to osd%d flags %d\n", 
+		     req, req->r_tid, osds[i], req->r_flags);
+		req->r_request->hdr.dst.name.type = 
+			cpu_to_le32(CEPH_ENTITY_TYPE_OSD);
 		req->r_request->hdr.dst.name.num = cpu_to_le32(osds[i]);
 		req->r_request->hdr.dst.addr = osdc->osdmap->osd_addr[osds[i]];
 		ceph_msg_get(req->r_request); /* send consumes a ref */
@@ -287,7 +289,8 @@ void ceph_osdc_handle_reply(struct ceph_osd_client *osdc, struct ceph_msg *msg)
 	} else {
 		dout(10, "handle_reply tid %llu already had a reply\n", tid);
 	}
-	dout(10, "handle_reply tid %llu flags %d |= %d\n", tid, req->r_flags, rhead->flags);
+	dout(10, "handle_reply tid %llu flags %d |= %d\n", tid, req->r_flags,
+	     rhead->flags);
 	req->r_flags |= rhead->flags;
 	spin_unlock(&osdc->lock);
 	complete(&req->r_completion);
-- 
2.39.5