From: NeilBrown rsc_lookup is a bit complicated: it either takes responsibility for the memory pointed to by handle.data and sets handle.data to NULL, or it leaves handle.data unchanged, in which case the caller is responsible for freeing handle.data. I forgot that the possibility of inserting a negative cache entry into the cache meant that this could happen even when rsc_lookup is called with set == 0. Note that the ip_map code has the same bug, not that it seems to matter much, since the memory in question in that case is always just a statically allocated string. From: "J. Bruce Fields" Signed-off-by: Neil Brown --- 25-akpm/net/sunrpc/auth_gss/svcauth_gss.c | 6 +++++- 1 files changed, 5 insertions(+), 1 deletion(-) diff -puN net/sunrpc/auth_gss/svcauth_gss.c~knfsd-6-of-11-nfsd_gss_rsc_lookup_freepatch net/sunrpc/auth_gss/svcauth_gss.c --- 25/net/sunrpc/auth_gss/svcauth_gss.c~knfsd-6-of-11-nfsd_gss_rsc_lookup_freepatch 2004-05-28 00:10:37.803000480 -0700 +++ 25-akpm/net/sunrpc/auth_gss/svcauth_gss.c 2004-05-28 00:10:37.806999872 -0700 @@ -333,6 +333,7 @@ rsc_init(struct rsc *new, struct rsc *tm new->handle.data = tmp->handle.data; tmp->handle.data = NULL; new->mechctx = NULL; + new->cred.cr_group_info = NULL; } static inline void @@ -453,8 +454,11 @@ gss_svc_searchbyctx(struct xdr_netobj *h struct rsc rsci; struct rsc *found; - rsci.handle = *handle; + memset(&rsci, 0, sizeof(rsci)); + if (dup_to_netobj(&rsci.handle, handle->data, handle->len)) + return NULL; found = rsc_lookup(&rsci, 0); + rsc_free(&rsci); if (!found) return NULL; if (cache_check(&rsc_cache, &found->h, NULL)) _