]> git.karo-electronics.de Git - karo-tx-linux.git/commitdiff
projects / karo-tx-linux.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: eeb9d3d)
fs/direct-io.c: fix possible use-after-free with AIO
authorJan Kara <jack@suse.cz>
Thu, 7 Feb 2013 01:31:59 +0000 (12:31 +1100)
committerStephen Rothwell <sfr@canb.auug.org.au>
Mon, 18 Feb 2013 05:47:43 +0000 (16:47 +1100)
Running AIO is pinning inode in memory using file reference.  Once AIO is
completed using aio_complete(), file reference is put and inode can be
freed from memory.  So we have to be sure that calling aio_complete() is
the last thing we do with the inode.

Acked-by: Jeff Moyer <jmoyer@redhat.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: Jeff Moyer <jmoyer@redhat.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
fs/direct-io.c patch | blob | history

diff --git a/fs/direct-io.c b/fs/direct-io.c
index cf5b44b10c6759454e662dcf0a99f3511f374a3c..f853263cf74f8abf29016db5e44eaa9e0de44abc 100644 (file)
--- a/fs/direct-io.c
+++ b/fs/direct-io.c
@@ -261,9 +261,9 @@ static ssize_t dio_complete(struct dio *dio, loff_t offset, ssize_t ret, bool is
                dio->end_io(dio->iocb, offset, transferred,
                            dio->private, ret, is_async);
        } else {
+               inode_dio_done(dio->inode);
                if (is_async)
                        aio_complete(dio->iocb, ret, 0);
-               inode_dio_done(dio->inode);
        }
 
        return ret;
Linux kernel for KaRo TX COM modules