From f61816d0fc6091e14b3f4ffce962dc5084a1b6cd Mon Sep 17 00:00:00 2001
From: Kent Overstreet <kent.overstreet@gmail.com>
Date: Mon, 21 Feb 2022 13:22:11 -0500
Subject: [PATCH] bcachefs: Fix a use after free

In move_read_endio, we were checking if the next pending write has its
read completed - but this can turn after a use after free (and we were
accessing the list without a lock), so instead just better to just
unconditionally do the wakeup.

Signed-off-by: Kent Overstreet <kent.overstreet@gmail.com>
---
 fs/bcachefs/move.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/fs/bcachefs/move.c b/fs/bcachefs/move.c
index 4751d79219cb2..2eb192da8e1d9 100644
--- a/fs/bcachefs/move.c
+++ b/fs/bcachefs/move.c
@@ -480,9 +480,7 @@ static void move_read_endio(struct bio *bio)
 	atomic_sub(io->read_sectors, &ctxt->read_sectors);
 	io->read_completed = true;
 
-	if (next_pending_write(ctxt))
-		wake_up(&ctxt->wait);
-
+	wake_up(&ctxt->wait);
 	closure_put(&ctxt->cl);
 }
 
-- 
2.30.2