From 286d8ad040ddb9a496ac4a8551d72b827e604243 Mon Sep 17 00:00:00 2001 From: Kent Overstreet Date: Mon, 16 Mar 2020 14:49:52 -0400 Subject: [PATCH] bcachefs: Fix a use after free in dio write path Signed-off-by: Kent Overstreet Signed-off-by: Kent Overstreet --- fs/bcachefs/fs-io.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/fs/bcachefs/fs-io.c b/fs/bcachefs/fs-io.c index 4a20bb11151cb..726c55072b7bb 100644 --- a/fs/bcachefs/fs-io.c +++ b/fs/bcachefs/fs-io.c @@ -1787,7 +1787,7 @@ static long bch2_dio_write_loop(struct dio_write *dio) struct bio_vec *bv; unsigned unaligned; u64 new_i_size; - bool sync; + bool sync = dio->sync; long ret; if (dio->loop) @@ -1830,7 +1830,7 @@ static long bch2_dio_write_loop(struct dio_write *dio) if (!dio->sync && !dio->loop && dio->iter.count) { if (bch2_dio_write_copy_iov(dio)) { - dio->sync = true; + dio->sync = sync = true; goto do_io; } } @@ -1838,7 +1838,7 @@ do_io: dio->loop = true; closure_call(&dio->op.cl, bch2_write, NULL, NULL); - if (dio->sync) + if (sync) wait_for_completion(&dio->done); else return -EIOCBQUEUED; @@ -1872,7 +1872,6 @@ err: if (dio->free_iov) kfree(dio->iter.__iov); - sync = dio->sync; bio_put(bio); /* inode->i_dio_count is our ref on inode and thus bch_fs */ -- 2.30.2