coda: do not grab an uninitialized fd when the open upcall returns an error

When open fails the fd in the response is uninitialized and we ended up taking
a reference on the file struct and never released it.

Signed-off-by: Jan Harkes <jaharkes@cs.cmu.edu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

fs/coda/file.c

@@ -143,8 +143,11 @@ int coda_open(struct inode *coda_inode, struct file *coda_file)
 	lock_kernel();
 
 	error = venus_open(coda_inode->i_sb, coda_i2f(coda_inode), coda_flags,
-			   &host_file); 
+			   &host_file);
-	if (error || !host_file) {
+	if (!host_file)
+		error = -EIO;
+
+	if (error) {
 		kfree(cfi);
 		unlock_kernel();
 		return error;

fs/coda/psdev.c

@@ -195,7 +195,8 @@ static ssize_t coda_psdev_write(struct file *file, const char __user *buf,
 	if (req->uc_opcode == CODA_OPEN_BY_FD) {
 		struct coda_open_by_fd_out *outp =
 			(struct coda_open_by_fd_out *)req->uc_data;
-		outp->fh = fget(outp->fd);
+		if (!outp->oh.result)
+			outp->fh = fget(outp->fd);
 	}
 
         wake_up(&req->uc_sleep);

fs/coda/upcall.c

@@ -251,12 +251,12 @@ int venus_open(struct super_block *sb, struct CodaFid *fid,
 	insize = SIZE(open_by_fd);
 	UPARG(CODA_OPEN_BY_FD);
 
-        inp->coda_open.VFid = *fid;
+	inp->coda_open_by_fd.VFid = *fid;
-        inp->coda_open.flags = flags;
+	inp->coda_open_by_fd.flags = flags;
 
-        error = coda_upcall(coda_sbp(sb), insize, &outsize, inp);
+	error = coda_upcall(coda_sbp(sb), insize, &outsize, inp);
-
+	if (!error)
-	*fh = outp->coda_open_by_fd.fh;
+		*fh = outp->coda_open_by_fd.fh;
 
 	CODA_FREE(inp, insize);
 	return error;