Commit 573ddcdc authored by Kent Overstreet's avatar Kent Overstreet

bcachefs: fix uaf in bch2_dio_write_done()

Reported-by: syzbot+19ad84d5133871207377@syzkaller.appspotmail.com
Signed-off-by: default avatarKent Overstreet <kent.overstreet@linux.dev>
parent c986dd7e
...@@ -369,6 +369,7 @@ static noinline void bch2_dio_write_flush(struct dio_write *dio) ...@@ -369,6 +369,7 @@ static noinline void bch2_dio_write_flush(struct dio_write *dio)
static __always_inline long bch2_dio_write_done(struct dio_write *dio) static __always_inline long bch2_dio_write_done(struct dio_write *dio)
{ {
struct bch_fs *c = dio->op.c;
struct kiocb *req = dio->req; struct kiocb *req = dio->req;
struct bch_inode_info *inode = dio->inode; struct bch_inode_info *inode = dio->inode;
bool sync = dio->sync; bool sync = dio->sync;
...@@ -387,7 +388,7 @@ static __always_inline long bch2_dio_write_done(struct dio_write *dio) ...@@ -387,7 +388,7 @@ static __always_inline long bch2_dio_write_done(struct dio_write *dio)
ret = dio->op.error ?: ((long) dio->written << 9); ret = dio->op.error ?: ((long) dio->written << 9);
bio_put(&dio->op.wbio.bio); bio_put(&dio->op.wbio.bio);
bch2_write_ref_put(dio->op.c, BCH_WRITE_REF_dio_write); bch2_write_ref_put(c, BCH_WRITE_REF_dio_write);
/* inode->i_dio_count is our ref on inode and thus bch_fs */ /* inode->i_dio_count is our ref on inode and thus bch_fs */
inode_dio_end(&inode->v); inode_dio_end(&inode->v);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment