Commit 54c807e71d5ac59dee56c685f2b66e27cd54c475
Committed by
Al Viro
Al Viro
1 parent
da2d8455ed
Exists in
smarc-l5.0.0_1.0.0-ga
and in
5 other branches
fs: Fix possible use-after-free with AIO
Running AIO is pinning inode in memory using file reference. Once AIO is completed using aio_complete(), file reference is put and inode can be freed from memory. So we have to be sure that calling aio_complete() is the last thing we do with the inode. CC: Christoph Hellwig <hch@infradead.org> CC: Jens Axboe <axboe@kernel.dk> CC: Jeff Moyer <jmoyer@redhat.com> CC: stable@vger.kernel.org Acked-by: Jeff Moyer <jmoyer@redhat.com> Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Showing 1 changed file with 1 additions and 1 deletions Side-by-side Diff
fs/direct-io.c
| ... | ... | @@ -261,9 +261,9 @@ |
| 261 | 261 | dio->end_io(dio->iocb, offset, transferred, |
| 262 | 262 | dio->private, ret, is_async); |
| 263 | 263 | } else { |
| 264 | + inode_dio_done(dio->inode); | |
| 264 | 265 | if (is_async) |
| 265 | 266 | aio_complete(dio->iocb, ret, 0); |
| 266 | - inode_dio_done(dio->inode); | |
| 267 | 267 | } |
| 268 | 268 | |
| 269 | 269 | return ret; |