On Fri, Nov 9, 2018 at 2:51 PM, Lukas Czerner <lczerner@xxxxxxxxxx> wrote: > In async IO blocking case the additional reference to the io is taken for > it to survive fuse_aio_complete(). In non blocking case this additional > reference is not needed, however we still reference io to figure out > whether to wait for completion or not. This is wrong and will lead to > use-after-free. Fix it by storing blocking information in separate > variable. > > This was spotted by KASAN when running generic/208 fstest. Thanks, applied. Miklos
