ext4: fix possible use-after-free with AIO

Running AIO is pinning inode in memory using file reference. Once AIO
is completed using aio_complete(), file reference is put and inode can
be freed from memory. So we have to be sure that calling aio_complete()
is the last thing we do with the inode.

CC: stable@vger.kernel.org
Reviewed-by: Carlos Maiolino <cmaiolino@redhat.com>
Acked-by: Jeff Moyer <jmoyer@redhat.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>

2 files changed, 5 insertions, 6 deletions

diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
index 86bf43d6dfcd..07d9defeaf8c 100644
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -2850,9 +2850,9 @@ static void ext4_end_io_dio(struct kiocb *iocb, loff_t offset,
         if (!(io_end->flag & EXT4_IO_END_UNWRITTEN)) {
                 ext4_free_io_end(io_end);
 out:
+                inode_dio_done(inode);
                 if (is_async)
                         aio_complete(iocb, ret, 0);
-                inode_dio_done(inode);
                 return;
         }
 
diff --git a/fs/ext4/page-io.c b/fs/ext4/page-io.c
index 5d8c66948e1b..809b31003ecc 100644
--- a/fs/ext4/page-io.c
+++ b/fs/ext4/page-io.c
@@ -102,14 +102,13 @@ static int ext4_end_io(ext4_io_end_t *io)
                          "(inode %lu, offset %llu, size %zd, error %d)",
                          inode->i_ino, offset, size, ret);
         }
-        if (io->iocb)
-                aio_complete(io->iocb, io->result, 0);
-
-        if (io->flag & EXT4_IO_END_DIRECT)
-                inode_dio_done(inode);
         /* Wake up anyone waiting on unwritten extent conversion */
         if (atomic_dec_and_test(&EXT4_I(inode)->i_unwritten))
                 wake_up_all(ext4_ioend_wq(inode));
+        if (io->flag & EXT4_IO_END_DIRECT)
+                inode_dio_done(inode);
+        if (io->iocb)
+                aio_complete(io->iocb, io->result, 0);
         return ret;
 }