diff options
| author | Christoph Hellwig <hch@infradead.org> | 2011-09-13 18:26:00 -0400 |
|---|---|---|
| committer | Alex Elder <aelder@sgi.com> | 2011-09-14 09:56:35 -0400 |
| commit | 2d2422aebc037095f77551119f795449d29befed (patch) | |
| tree | 1786857f965cb63887c2bd7fd8dd08aabaefab4a /fs/xfs/xfs_aops.c | |
| parent | 003f6c9df54970d8b19578d195b3e2b398cdbde2 (diff) | |
xfs: fix a use after free in xfs_end_io_direct_write
There is a window in which the ioend that we call inode_dio_wake on
in xfs_end_io_direct_write is already free. Fix this by storing
the inode pointer in a local variable.
This is a fix for the regression introduced in 3.1-rc by
"fs: move inode_dio_done to the end_io handler".
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Alex Elder <aelder@sgi.com>
Diffstat (limited to 'fs/xfs/xfs_aops.c')
| -rw-r--r-- | fs/xfs/xfs_aops.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/fs/xfs/xfs_aops.c b/fs/xfs/xfs_aops.c index 63e971e2b837..8c37dde4c521 100644 --- a/fs/xfs/xfs_aops.c +++ b/fs/xfs/xfs_aops.c | |||
| @@ -1300,6 +1300,7 @@ xfs_end_io_direct_write( | |||
| 1300 | bool is_async) | 1300 | bool is_async) |
| 1301 | { | 1301 | { |
| 1302 | struct xfs_ioend *ioend = iocb->private; | 1302 | struct xfs_ioend *ioend = iocb->private; |
| 1303 | struct inode *inode = ioend->io_inode; | ||
| 1303 | 1304 | ||
| 1304 | /* | 1305 | /* |
| 1305 | * blockdev_direct_IO can return an error even after the I/O | 1306 | * blockdev_direct_IO can return an error even after the I/O |
| @@ -1331,7 +1332,7 @@ xfs_end_io_direct_write( | |||
| 1331 | } | 1332 | } |
| 1332 | 1333 | ||
| 1333 | /* XXX: probably should move into the real I/O completion handler */ | 1334 | /* XXX: probably should move into the real I/O completion handler */ |
| 1334 | inode_dio_done(ioend->io_inode); | 1335 | inode_dio_done(inode); |
| 1335 | } | 1336 | } |
| 1336 | 1337 | ||
| 1337 | STATIC ssize_t | 1338 | STATIC ssize_t |