From patchwork Tue Jan 29 23:28:01 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Kara X-Patchwork-Id: 216722 Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 78FD92C0080 for ; Wed, 30 Jan 2013 10:28:19 +1100 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751771Ab3A2X2S (ORCPT ); Tue, 29 Jan 2013 18:28:18 -0500 Received: from cantor2.suse.de ([195.135.220.15]:50219 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751344Ab3A2X2R (ORCPT ); Tue, 29 Jan 2013 18:28:17 -0500 Received: from relay2.suse.de (unknown [195.135.220.254]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx2.suse.de (Postfix) with ESMTP id 4DA1CA3B99; Wed, 30 Jan 2013 00:28:16 +0100 (CET) Received: by quack.suse.cz (Postfix, from userid 1000) id A82002066C; Wed, 30 Jan 2013 00:28:05 +0100 (CET) From: Jan Kara To: Al Viro Cc: linux-fsdevel@vger.kernel.org, xfs@oss.sgi.com, linux-ext4@vger.kernel.org, ocfs2-devel@oss.oracle.com, Jan Kara , Christoph Hellwig , Jens Axboe , Jeff Moyer , stable@vger.kernel.org Subject: [PATCH 4/4] fs: Fix possible use-after-free with AIO Date: Wed, 30 Jan 2013 00:28:01 +0100 Message-Id: <1359502081-20240-5-git-send-email-jack@suse.cz> X-Mailer: git-send-email 1.7.1 In-Reply-To: <1359502081-20240-1-git-send-email-jack@suse.cz> References: <1359502081-20240-1-git-send-email-jack@suse.cz> Sender: linux-ext4-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org Running AIO is pinning inode in memory using file reference. Once AIO is completed using aio_complete(), file reference is put and inode can be freed from memory. So we have to be sure that calling aio_complete() is the last thing we do with the inode. CC: Christoph Hellwig CC: Jens Axboe CC: Jeff Moyer CC: stable@vger.kernel.org Acked-by: Jeff Moyer Signed-off-by: Jan Kara --- fs/direct-io.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/fs/direct-io.c b/fs/direct-io.c index cf5b44b..f853263 100644 --- a/fs/direct-io.c +++ b/fs/direct-io.c @@ -261,9 +261,9 @@ static ssize_t dio_complete(struct dio *dio, loff_t offset, ssize_t ret, bool is dio->end_io(dio->iocb, offset, transferred, dio->private, ret, is_async); } else { + inode_dio_done(dio->inode); if (is_async) aio_complete(dio->iocb, ret, 0); - inode_dio_done(dio->inode); } return ret;