ext4_end_io_dio() queues io_end->work and then clears iocb->private; however, io_end->work completes the iocb by calling aio_complete(), which may happen before io_end->work clearing thus leading to use-after-free. Detected and tested with slab poisoning. Signed-off-by: Tejun Heo <tj@xxxxxxxxxx> Reported-by: Kent Overstreet <koverstreet@xxxxxxxxxx> Tested-by: Kent Overstreet <koverstreet@xxxxxxxxxx> Cc: stable@xxxxxxxxxx --- I *think* this is the corret fix but am not too familiar with code path, so please proceed with caution. Thank you. fs/ext4/inode.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c index 240f6e2..0f5583b 100644 --- a/fs/ext4/inode.c +++ b/fs/ext4/inode.c @@ -2806,8 +2806,8 @@ out: spin_unlock_irqrestore(&ei->i_completed_io_lock, flags); /* queue the work to convert unwritten extents to written */ - queue_work(wq, &io_end->work); iocb->private = NULL; + queue_work(wq, &io_end->work); /* XXX: probably should move into the real I/O completion handler */ inode_dio_done(inode); -- To unsubscribe from this list: send the line "unsubscribe linux-ext4" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
