From patchwork Tue Jan 29 23:28:00 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Kara X-Patchwork-Id: 216725 Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id BC5902C0080 for ; Wed, 30 Jan 2013 10:28:26 +1100 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752427Ab3A2X2X (ORCPT ); Tue, 29 Jan 2013 18:28:23 -0500 Received: from cantor2.suse.de ([195.135.220.15]:50229 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751645Ab3A2X2R (ORCPT ); Tue, 29 Jan 2013 18:28:17 -0500 Received: from relay1.suse.de (unknown [195.135.220.254]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx2.suse.de (Postfix) with ESMTP id 9C9BDA51C9; Wed, 30 Jan 2013 00:28:16 +0100 (CET) Received: by quack.suse.cz (Postfix, from userid 1000) id A2FDF2066B; Wed, 30 Jan 2013 00:28:05 +0100 (CET) From: Jan Kara To: Al Viro Cc: linux-fsdevel@vger.kernel.org, xfs@oss.sgi.com, linux-ext4@vger.kernel.org, ocfs2-devel@oss.oracle.com, Jan Kara , Joel Becker , stable@vger.kernel.org Subject: [PATCH 3/4] ocfs2: Fix possible use-after-free with AIO Date: Wed, 30 Jan 2013 00:28:00 +0100 Message-Id: <1359502081-20240-4-git-send-email-jack@suse.cz> X-Mailer: git-send-email 1.7.1 In-Reply-To: <1359502081-20240-1-git-send-email-jack@suse.cz> References: <1359502081-20240-1-git-send-email-jack@suse.cz> Sender: linux-ext4-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org Running AIO is pinning inode in memory using file reference. Once AIO is completed using aio_complete(), file reference is put and inode can be freed from memory. So we have to be sure that calling aio_complete() is the last thing we do with the inode. CC: Joel Becker CC: ocfs2-devel@oss.oracle.com CC: stable@vger.kernel.org Acked-by: Jeff Moyer Signed-off-by: Jan Kara --- fs/ocfs2/aops.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/fs/ocfs2/aops.c b/fs/ocfs2/aops.c index 6577432..340bd02 100644 --- a/fs/ocfs2/aops.c +++ b/fs/ocfs2/aops.c @@ -593,9 +593,9 @@ static void ocfs2_dio_end_io(struct kiocb *iocb, level = ocfs2_iocb_rw_locked_level(iocb); ocfs2_rw_unlock(inode, level); + inode_dio_done(inode); if (is_async) aio_complete(iocb, ret, 0); - inode_dio_done(inode); } /*