xfs: fix a use after free in xfs_end_io_direct_write

There is a window in which the ioend that we call inode_dio_wake on in xfs_end_io_direct_write is already free. Fix this by storing the inode pointer in a local variable. This is a fix for the regression introduced in 3.1-rc by "fs: move inode_dio_done to the end_io handler". Signed-off-by: N Christoph Hellwig <hch@lst.de> Signed-off-by: N Alex Elder <aelder@sgi.com>

xfs: fix a use after free in xfs_end_io_direct_write
There is a window in which the ioend that we call inode_dio_wake on in xfs_end_io_direct_write is already free. Fix this by storing the inode pointer in a local variable. This is a fix for the regression introduced in 3.1-rc by "fs: move inode_dio_done to the end_io handler". Signed-off-by: N Christoph Hellwig <hch@lst.de> Signed-off-by: N Alex Elder <aelder@sgi.com>
2d2422ae · Christoph Hellwig · Alex Elder · 003f6c9d · 2d2422ae
隐藏空白更改
内联并排

Showing with 2 addition and 1 deletion

fs/xfs/xfs_aops.c fs/xfs/xfs_aops.c +2 -1

未找到文件。
--- a/fs/xfs/xfs_aops.c
+++ b/fs/xfs/xfs_aops.c
@@ -1300,6 +1300,7 @@ xfs_end_io_direct_write(
 	bool			is_async)
 {
 	struct xfs_ioend	*ioend = iocb->private;
+	struct inode		*inode = ioend->io_inode;
 	/*
 	 * blockdev_direct_IO can return an error even after the I/O
@@ -1331,7 +1332,7 @@ xfs_end_io_direct_write(
 	}
 	/* XXX: probably should move into the real I/O completion handler */
-	inode_dio_done(ioend->io_inode);
+	inode_dio_done(inode);
 }
 STATIC ssize_t