Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 4b05d09c authored by Jan Kara's avatar Jan Kara Committed by Ben Myers
Browse files

xfs: Fix possible use-after-free with AIO 



Running AIO is pinning inode in memory using file reference. Once AIO
is completed using aio_complete(), file reference is put and inode can
be freed from memory. So we have to be sure that calling aio_complete()
is the last thing we do with the inode.

CC: xfs@oss.sgi.com
CC: Ben Myers <bpm@sgi.com>
CC: stable@vger.kernel.org
Signed-off-by: default avatarJan Kara <jack@suse.cz>
Reviewed-by: default avatarBen Myers <bpm@sgi.com>
Signed-off-by: default avatarBen Myers <bpm@sgi.com>
parent 9f87832a

fs/xfs/xfs_aops.c

+1 −1
Original line number Diff line number Diff line
@@ -86,11 +86,11 @@ xfs_destroy_ioend( 
	}



	if (ioend->io_iocb) {

		inode_dio_done(ioend->io_inode);

		if (ioend->io_isasync) {

			aio_complete(ioend->io_iocb, ioend->io_error ?

					ioend->io_error : ioend->io_result, 0);

		}

		inode_dio_done(ioend->io_inode);

	}



	mempool_free(ioend, xfs_ioend_pool);