lk/linux-kernel-test
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

xfs: fix a use after free in xfs_end_io_direct_write

Browse Source 
There is a window in which the ioend that we call inode_dio_wake on
in xfs_end_io_direct_write is already free.  Fix this by storing
the inode pointer in a local variable.

This is a fix for the regression introduced in 3.1-rc by
"fs: move inode_dio_done to the end_io handler".

Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Alex Elder <aelder@sgi.com>
This commit is contained in:
Christoph Hellwig
2011-09-13 22:26:00 +00:00
committed by Alex Elder
parent 003f6c9df5
commit 2d2422aebc
1 changed files with 2 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
fs/xfs/xfs_aops.c
View File

@@ -1300,6 +1300,7 @@ xfs_end_io_direct_write(
bool is_async) bool is_async)
{ {
struct xfs_ioend *ioend = iocb->private; struct xfs_ioend *ioend = iocb->private;
struct inode *inode = ioend->io_inode;
/* /*
* blockdev_direct_IO can return an error even after the I/O * blockdev_direct_IO can return an error even after the I/O
@@ -1331,7 +1332,7 @@ xfs_end_io_direct_write(
} }
/* XXX: probably should move into the real I/O completion handler */ /* XXX: probably should move into the real I/O completion handler */
inode_dio_done(ioend->io_inode); inode_dio_done(inode);
} }
STATIC ssize_t STATIC ssize_t