If a snapshot became invalid while there are outstanding pending_exceptions,
when pending_complete() processes each one it forgets to remove the
corresponding exception from its exception table before freeing it.

Fix this by moving the 'out:' label up one statement so that
remove_exception() is always called.  Then __invalidate_exception() no
longer needs to call it and its 'pe' argument become superfluous.

Signed-off-by: Alasdair G Kergon <agk@redhat.com>

--- linux-2.6.17.orig/drivers/md/dm-snap.c	2006-09-13 16:32:51.000000000 +0100
+++ linux-2.6.17/drivers/md/dm-snap.c	2006-09-13 16:33:22.000000000 +0100
@@ -632,8 +632,7 @@ static void error_bios(struct bio *bio)
 	}
 }
 
-static void __invalidate_snapshot(struct dm_snapshot *s,
-				struct pending_exception *pe, int err)
+static void __invalidate_snapshot(struct dm_snapshot *s, int err)
 {
 	if (!s->valid)
 		return;
@@ -643,9 +642,6 @@ static void __invalidate_snapshot(struct
 	else if (err == -ENOMEM)
 		DMERR("Invalidating snapshot: Unable to allocate exception.");
 
-	if (pe)
-		remove_exception(&pe->e);
-
 	if (s->store.drop_snapshot)
 		s->store.drop_snapshot(&s->store);
 
@@ -702,7 +698,7 @@ static void pending_complete(struct pend
 	if (!success) {
 		/* Read/write error - snapshot is unusable */
 		down_write(&s->lock);
-		__invalidate_snapshot(s, pe, -EIO);
+		__invalidate_snapshot(s, -EIO);
 		error = 1;
 		goto out;
 	}
@@ -710,7 +706,7 @@ static void pending_complete(struct pend
 	e = alloc_exception();
 	if (!e) {
 		down_write(&s->lock);
-		__invalidate_snapshot(s, pe, -ENOMEM);
+		__invalidate_snapshot(s, -ENOMEM);
 		error = 1;
 		goto out;
 	}
@@ -728,9 +724,9 @@ static void pending_complete(struct pend
 	 * in-flight exception from the list.
 	 */
 	insert_exception(&s->complete, e);
-	remove_exception(&pe->e);
 
  out:
+	remove_exception(&pe->e);
 	snapshot_bios = bio_list_get(&pe->snapshot_bios);
 	origin_bios = put_pending_exception(pe);
 
@@ -910,7 +906,7 @@ static int snapshot_map(struct dm_target
 	if (bio_rw(bio) == WRITE) {
 		pe = __find_pending_exception(s, bio);
 		if (!pe) {
-			__invalidate_snapshot(s, pe, -ENOMEM);
+			__invalidate_snapshot(s, -ENOMEM);
 			r = -EIO;
 			goto out_unlock;
 		}
@@ -1036,7 +1032,7 @@ static int __origin_write(struct list_he
 
 		pe = __find_pending_exception(snap, bio);
 		if (!pe) {
-			__invalidate_snapshot(snap, pe, -ENOMEM);
+			__invalidate_snapshot(snap, -ENOMEM);
 			goto next_snapshot;
 		}