bcachefs: Fix a use after free

In move_read_endio, we were checking if the next pending write has its read completed - but this can turn after a use after free (and we were accessing the list without a lock), so instead just better to just unconditionally do the wakeup. Signed-off-by: Kent Overstreet <kent.overstreet@gmail.com>

bcachefs: Fix a use after free
In move_read_endio, we were checking if the next pending write has its read completed - but this can turn after a use after free (and we were accessing the list without a lock), so instead just better to just unconditionally do the wakeup. Signed-off-by: Kent Overstreet <kent.overstreet@gmail.com>
f61816d0 · Kent Overstreet · Kent Overstreet · 12bf93a4 · f61816d0
Commit f61816d0 authored Feb 21, 2022 by Kent Overstreet Committed by Kent Overstreet Oct 22, 2023
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 3 deletions

fs/bcachefs/move.c fs/bcachefs/move.c +1 -3

No files found.
--- a/fs/bcachefs/move.c
+++ b/fs/bcachefs/move.c
@@ -480,9 +480,7 @@ static void move_read_endio(struct bio *bio)
 	atomic_sub(io->read_sectors, &ctxt->read_sectors);
 	io->read_completed = true;

-	if (next_pending_write(ctxt))
-		wake_up(&ctxt->wait);
-
+	wake_up(&ctxt->wait);
 	closure_put(&ctxt->cl);
 }