bcachefs: Fix a use after free

In move_read_endio, we were checking if the next pending write has its
read completed - but this can turn after a use after free (and we were
accessing the list without a lock), so instead just better to just
unconditionally do the wakeup.

Signed-off-by: Kent Overstreet <kent.overstreet@gmail.com>

diff --git a/fs/bcachefs/move.c b/fs/bcachefs/move.c
index 4751d79219cb247cb361511404eb296c7ccc16b6..2eb192da8e1d98dcb64a505cbf7397af9af4633e 100644 (file)
--- a/fs/bcachefs/move.c
+++ b/fs/bcachefs/move.c
@@ -480,9 +480,7 @@ static void move_read_endio(struct bio *bio)
        atomic_sub(io->read_sectors, &ctxt->read_sectors);
        io->read_completed = true;
 
-       if (next_pending_write(ctxt))
-               wake_up(&ctxt->wait);
-
+       wake_up(&ctxt->wait);
        closure_put(&ctxt->cl);
 }