From c3a197347ffd389572e0941cbcbbf8c076dd4d76 Mon Sep 17 00:00:00 2001
From: Miloslav Trmač <mitr@redhat.com>
Date: Wed, 28 Jul 2010 02:48:46 +0200
Subject: Don't access new objects when not holding a reference

---
 ncr-key.c      | 2 +-
 ncr-sessions.c | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/ncr-key.c b/ncr-key.c
index e0361bc..4ea933c 100644
--- a/ncr-key.c
+++ b/ncr-key.c
@@ -189,9 +189,9 @@ int ncr_key_init(struct list_sem_st* lst, void __user* arg)
 
 	list_add(&key->list, &lst->list);
 	
+	desc = key->desc;
 	up(&lst->sem);
 
-	desc = key->desc;
 	ret = copy_to_user(arg, &desc, sizeof(desc));
 	if (unlikely(ret)) {
 		down(&lst->sem);
diff --git a/ncr-sessions.c b/ncr-sessions.c
index 7d79753..365935f 100644
--- a/ncr-sessions.c
+++ b/ncr-sessions.c
@@ -121,7 +121,7 @@ struct session_item_st* ncr_session_new(struct list_sem_st* lst)
 	}
 	init_MUTEX(&sess->mem_mutex);
 
-	atomic_set(&sess->refcnt, 1);
+	atomic_set(&sess->refcnt, 2); /* One for lst->list, one for "sess" */
 
 	down(&lst->sem);
 
@@ -392,6 +392,7 @@ fail:
 	if (ret < 0) {
 		_ncr_session_remove(&lists->sessions, ns->desc);
 	}
+	_ncr_sessions_item_put(ns);
 
 	return ret;
 }
-- 
cgit