Skip to content

Commit

Permalink
xfs: fix a use after free in xfs_end_io_direct_write
Browse files Browse the repository at this point in the history 
There is a window in which the ioend that we call inode_dio_wake on
in xfs_end_io_direct_write is already free.  Fix this by storing
the inode pointer in a local variable.

This is a fix for the regression introduced in 3.1-rc by
"fs: move inode_dio_done to the end_io handler".

Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Alex Elder <aelder@sgi.com>
  • Loading branch information
Christoph Hellwig authored and Alex Elder committed Sep 14, 2011
1 parent 003f6c9 commit 2d2422a
Showing 1 changed file with 2 additions and 1 deletion.
3 changes: 2 additions & 1 deletion fs/xfs/xfs_aops.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1300,6 +1300,7 @@ xfs_end_io_direct_write(
bool is_async)
{
struct xfs_ioend *ioend = iocb->private;
struct inode *inode = ioend->io_inode;

/*
* blockdev_direct_IO can return an error even after the I/O
Expand Down Expand Up @@ -1331,7 +1332,7 @@ xfs_end_io_direct_write(
}

/* XXX: probably should move into the real I/O completion handler */
inode_dio_done(ioend->io_inode);
inode_dio_done(inode);
}

STATIC ssize_t
Expand Down

0 comments on commit 2d2422a

Please sign in to comment.