From: Eric Van Hensbergen <ericvh@gmail.com>

If a 9pfs server crashes, v9fs_fd_close() is called.  Subsequently, in
cleaning up by performing a umount() on the FS that was provided by this
server v9fs_fd_close() is called again, and uses the old, freed valus of
trans->priv.  This patch ensures that trans->priv can be freed only once,
otherwise this function bails early.

Signed-off-by: Michal Ostrowski <mostrows@watson.ibm.com>
Signed-off-by: Eric Van Hensbergen <ericvh@gmail.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
---

 fs/9p/trans_fd.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff -puN fs/9p/trans_fd.c~v9fs-fix-fd_close fs/9p/trans_fd.c
--- devel/fs/9p/trans_fd.c~v9fs-fix-fd_close	2006-01-04 01:02:00.000000000 -0800
+++ devel-akpm/fs/9p/trans_fd.c	2006-01-04 01:02:00.000000000 -0800
@@ -148,12 +148,12 @@ static void v9fs_fd_close(struct v9fs_tr
 	if (!trans)
 		return;
 
-	trans->status = Disconnected;
-	ts = trans->priv;
+	ts = xchg(&trans->priv, NULL);
 
 	if (!ts)
 		return;
 
+	trans->status = Disconnected;
 	if (ts->in_file)
 		fput(ts->in_file);
 
_