xfs: fix a use after free in xfs_end_io_direct_write

Christoph Hellwig · Alex Elder · commit 2d2422aebc03 · 2011-09-14T08:56:35.000-05:00
There is a window in which the ioend that we call inode_dio_wake on
in xfs_end_io_direct_write is already free.  Fix this by storing
the inode pointer in a local variable.

This is a fix for the regression introduced in 3.1-rc by
"fs: move inode_dio_done to the end_io handler".

Signed-off-by: Christoph Hellwig &lt;hch@lst.de&gt;
Signed-off-by: Alex Elder &lt;aelder@sgi.com&gt;
diff --git a/fs/xfs/xfs_aops.c b/fs/xfs/xfs_aops.c
@@ -1300,6 +1300,7 @@ xfs_end_io_direct_write(
 	bool			is_async)
 {
 	struct xfs_ioend	*ioend = iocb->private;
+	struct inode		*inode = ioend->io_inode;
 
 	/*
 	 * blockdev_direct_IO can return an error even after the I/O
@@ -1331,7 +1332,7 @@ xfs_end_io_direct_write(
 	}
 
 	/* XXX: probably should move into the real I/O completion handler */
-	inode_dio_done(ioend->io_inode);
+	inode_dio_done(inode);
 }
 
 STATIC ssize_t

Original file line number	Diff line number	Diff line change
`@@ -1300,6 +1300,7 @@ xfs_end_io_direct_write(`
`1300`	`1300`	`bool is_async)`
`1301`	`1301`	`{`
`1302`	`1302`	`struct xfs_ioend *ioend = iocb->private;`
	`1303`	`+ struct inode *inode = ioend->io_inode;`
`1303`	`1304`
`1304`	`1305`	`/*`
`1305`	`1306`	`* blockdev_direct_IO can return an error even after the I/O`
`@@ -1331,7 +1332,7 @@ xfs_end_io_direct_write(`
`1331`	`1332`	`}`
`1332`	`1333`
`1333`	`1334`	`/* XXX: probably should move into the real I/O completion handler */`
`1334`		`- inode_dio_done(ioend->io_inode);`
	`1335`	`+ inode_dio_done(inode);`
`1335`	`1336`	`}`
`1336`	`1337`
`1337`	`1338`	`STATIC ssize_t`