diff options
author | Christoph Hellwig <hch@infradead.org> | 2011-09-13 22:26:00 +0000 |
---|---|---|
committer | Alex Elder <aelder@sgi.com> | 2011-09-14 08:56:35 -0500 |
commit | 2d2422aebc037095f77551119f795449d29befed (patch) | |
tree | 1786857f965cb63887c2bd7fd8dd08aabaefab4a | |
parent | 003f6c9df54970d8b19578d195b3e2b398cdbde2 (diff) | |
download | lwn-2d2422aebc037095f77551119f795449d29befed.tar.gz lwn-2d2422aebc037095f77551119f795449d29befed.zip |
xfs: fix a use after free in xfs_end_io_direct_write
There is a window in which the ioend that we call inode_dio_wake on
in xfs_end_io_direct_write is already free. Fix this by storing
the inode pointer in a local variable.
This is a fix for the regression introduced in 3.1-rc by
"fs: move inode_dio_done to the end_io handler".
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Alex Elder <aelder@sgi.com>
-rw-r--r-- | fs/xfs/xfs_aops.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/fs/xfs/xfs_aops.c b/fs/xfs/xfs_aops.c index 63e971e2b837..8c37dde4c521 100644 --- a/fs/xfs/xfs_aops.c +++ b/fs/xfs/xfs_aops.c @@ -1300,6 +1300,7 @@ xfs_end_io_direct_write( bool is_async) { struct xfs_ioend *ioend = iocb->private; + struct inode *inode = ioend->io_inode; /* * blockdev_direct_IO can return an error even after the I/O @@ -1331,7 +1332,7 @@ xfs_end_io_direct_write( } /* XXX: probably should move into the real I/O completion handler */ - inode_dio_done(ioend->io_inode); + inode_dio_done(inode); } STATIC ssize_t |