bcachefs: Fix a use after free in dio write path

Signed-off-by: Kent Overstreet <kent.overstreet@gmail.com> Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>

bcachefs: Fix a use after free in dio write path
Signed-off-by: Kent Overstreet <kent.overstreet@gmail.com> Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>
286d8ad0 · Kent Overstreet · Kent Overstreet · 511ed5bf · 286d8ad0
Commit 286d8ad0 authored Mar 16, 2020 by Kent Overstreet Committed by Kent Overstreet Oct 22, 2023
Show whitespace changes
Inline Side-by-side

Showing with 3 additions and 4 deletions

fs/bcachefs/fs-io.c fs/bcachefs/fs-io.c +3 -4

No files found.
--- a/fs/bcachefs/fs-io.c
+++ b/fs/bcachefs/fs-io.c
@@ -1787,7 +1787,7 @@ static long bch2_dio_write_loop(struct dio_write *dio)
 	struct bio_vec *bv;
 	unsigned unaligned;
 	u64 new_i_size;
-	bool sync;
+	bool sync = dio->sync;
 	long ret;
 	if (dio->loop)
@@ -1830,7 +1830,7 @@ static long bch2_dio_write_loop(struct dio_write *dio)
 		if (!dio->sync && !dio->loop && dio->iter.count) {
 			if (bch2_dio_write_copy_iov(dio)) {
-				dio->sync = true;
+				dio->sync = sync = true;
 				goto do_io;
 			}
 		}
@@ -1838,7 +1838,7 @@ static long bch2_dio_write_loop(struct dio_write *dio)
 		dio->loop = true;
 		closure_call(&dio->op.cl, bch2_write, NULL, NULL);
-		if (dio->sync)
+		if (sync)
 			wait_for_completion(&dio->done);
 		else
 			return -EIOCBQUEUED;
@@ -1872,7 +1872,6 @@ static long bch2_dio_write_loop(struct dio_write *dio)
 	if (dio->free_iov)
 		kfree(dio->iter.__iov);
-	sync = dio->sync;
 	bio_put(bio);
 	/* inode->i_dio_count is our ref on inode and thus bch_fs */