From: Kent Overstreet <kent.overstreet@gmail.com>
Date: Mon, 21 Feb 2022 18:22:11 +0000 (-0500)
Subject: bcachefs: Fix a use after free
X-Git-Url: http://git.maquefel.me/?a=commitdiff_plain;h=f61816d0fc6091e14b3f4ffce962dc5084a1b6cd;p=linux.git

bcachefs: Fix a use after free

In move_read_endio, we were checking if the next pending write has its
read completed - but this can turn after a use after free (and we were
accessing the list without a lock), so instead just better to just
unconditionally do the wakeup.

Signed-off-by: Kent Overstreet <kent.overstreet@gmail.com>
---

diff --git a/fs/bcachefs/move.c b/fs/bcachefs/move.c
index 4751d79219cb2..2eb192da8e1d9 100644
--- a/fs/bcachefs/move.c
+++ b/fs/bcachefs/move.c
@@ -480,9 +480,7 @@ static void move_read_endio(struct bio *bio)
 	atomic_sub(io->read_sectors, &ctxt->read_sectors);
 	io->read_completed = true;
 
-	if (next_pending_write(ctxt))
-		wake_up(&ctxt->wait);
-
+	wake_up(&ctxt->wait);
 	closure_put(&ctxt->cl);
 }