bcachefs: Fix a use after free in dio write path

Signed-off-by: Kent Overstreet <kent.overstreet@gmail.com>
Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>

diff --git a/fs/bcachefs/fs-io.c b/fs/bcachefs/fs-io.c
index 4a20bb11151cbbe3c382ae130fff7331647c1722..726c55072b7bbb7c39618ffc6745b18c524c3682 100644 (file)
--- a/fs/bcachefs/fs-io.c
+++ b/fs/bcachefs/fs-io.c
@@ -1787,7 +1787,7 @@ static long bch2_dio_write_loop(struct dio_write *dio)
        struct bio_vec *bv;
        unsigned unaligned;
        u64 new_i_size;
-       bool sync;
+       bool sync = dio->sync;
        long ret;
 
        if (dio->loop)
@@ -1830,7 +1830,7 @@ static long bch2_dio_write_loop(struct dio_write *dio)
 
                if (!dio->sync && !dio->loop && dio->iter.count) {
                        if (bch2_dio_write_copy_iov(dio)) {
-                               dio->sync = true;
+                               dio->sync = sync = true;
                                goto do_io;
                        }
                }
@@ -1838,7 +1838,7 @@ do_io:
                dio->loop = true;
                closure_call(&dio->op.cl, bch2_write, NULL, NULL);
 
-               if (dio->sync)
+               if (sync)
                        wait_for_completion(&dio->done);
                else
                        return -EIOCBQUEUED;
@@ -1872,7 +1872,6 @@ err:
        if (dio->free_iov)
                kfree(dio->iter.__iov);
 
-       sync = dio->sync;
        bio_put(bio);
 
        /* inode->i_dio_count is our ref on inode and thus bch_fs */