From: Christoph Hellwig Date: Tue, 13 Sep 2011 22:26:00 +0000 (+0000) Subject: xfs: fix a use after free in xfs_end_io_direct_write X-Git-Tag: firefly_0821_release~3680^2~4490^2 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=2d2422aebc037095f77551119f795449d29befed;p=firefly-linux-kernel-4.4.55.git xfs: fix a use after free in xfs_end_io_direct_write There is a window in which the ioend that we call inode_dio_wake on in xfs_end_io_direct_write is already free. Fix this by storing the inode pointer in a local variable. This is a fix for the regression introduced in 3.1-rc by "fs: move inode_dio_done to the end_io handler". Signed-off-by: Christoph Hellwig Signed-off-by: Alex Elder --- diff --git a/fs/xfs/xfs_aops.c b/fs/xfs/xfs_aops.c index 63e971e2b837..8c37dde4c521 100644 --- a/fs/xfs/xfs_aops.c +++ b/fs/xfs/xfs_aops.c @@ -1300,6 +1300,7 @@ xfs_end_io_direct_write( bool is_async) { struct xfs_ioend *ioend = iocb->private; + struct inode *inode = ioend->io_inode; /* * blockdev_direct_IO can return an error even after the I/O @@ -1331,7 +1332,7 @@ xfs_end_io_direct_write( } /* XXX: probably should move into the real I/O completion handler */ - inode_dio_done(ioend->io_inode); + inode_dio_done(inode); } STATIC ssize_t