From d88296a89fa7b699f237de7a86e30ce4995a2a4f Mon Sep 17 00:00:00 2001
From: rmacklem <rmacklem@FreeBSD.org>
Date: Wed, 17 Jun 2009 22:50:26 +0000
Subject: Since svc_[dg|vc|tli|tp]_create() did not hold a reference count on
 the SVCXPTR structure returned by them, it was possible for the structure to
 be free'd before svc_reg() had been completed using the structure. This patch
 acquires a reference count on the newly created structure that is returned by
 svc_[dg|vc|tli|tp]_create(). It also adds the appropriate SVC_RELEASE() calls
 to the callers, except the experimental nfs subsystem. The latter will be
 committed separately.

Submitted by:	dfr
Tested by:	pho
Approved by:	kib (mentor)
---
 sys/rpc/svc_generic.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'sys/rpc/svc_generic.c')

diff --git a/sys/rpc/svc_generic.c b/sys/rpc/svc_generic.c
index 790b4ba..38380f2 100644
--- a/sys/rpc/svc_generic.c
+++ b/sys/rpc/svc_generic.c
@@ -120,8 +120,10 @@ svc_create(
 			/* It was not found. Now create a new one */
 			xprt = svc_tp_create(pool, dispatch, prognum, versnum,
 			    NULL, nconf);
-			if (xprt)
+			if (xprt) {
 				num++;
+				SVC_RELEASE(xprt);
+			}
 		}
 	}
 	__rpc_endconf(handle);
@@ -179,6 +181,7 @@ svc_tp_create(
 				(unsigned)prognum, (unsigned)versnum,
 				nconf->nc_netid);
 		xprt_unregister(xprt);
+		SVC_RELEASE(xprt);
 		return (NULL);
 	}
 	return (xprt);
-- 
cgit v1.1