提交 0b944d3a 编写于 作者: C Christoph Hellwig 提交者: Al Viro

aio: hold an extra file reference over AIO read/write operations

Otherwise we might dereference an already freed file and/or inode
when aio_complete is called before we return from the read_iter or
write_iter method.
Signed-off-by: NChristoph Hellwig <hch@lst.de>
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
上级 a909d3e6
...@@ -1460,6 +1460,7 @@ static ssize_t aio_run_iocb(struct kiocb *req, unsigned opcode, ...@@ -1460,6 +1460,7 @@ static ssize_t aio_run_iocb(struct kiocb *req, unsigned opcode,
return ret; return ret;
} }
get_file(file);
if (rw == WRITE) if (rw == WRITE)
file_start_write(file); file_start_write(file);
...@@ -1467,6 +1468,7 @@ static ssize_t aio_run_iocb(struct kiocb *req, unsigned opcode, ...@@ -1467,6 +1468,7 @@ static ssize_t aio_run_iocb(struct kiocb *req, unsigned opcode,
if (rw == WRITE) if (rw == WRITE)
file_end_write(file); file_end_write(file);
fput(file);
kfree(iovec); kfree(iovec);
break; break;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册