On 12/12/2019 10:49, Christoph Hellwig wrote: >> @@ -8230,9 +8228,8 @@ static void btrfs_endio_direct_read(struct bio *bio) >> kfree(dip); >> >> dio_bio->bi_status = err; >> - dio_end_io(dio_bio); >> + bio_endio(dio_bio); >> btrfs_io_bio_free_csum(io_bio); >> - bio_put(bio); > > I'm not a btrfs export, but doesn't this introduce a use after free > as bio_endio also frees io_bio? No that's ok, as the bio_endio() frees the dio_bio, while btrfs_io_bio_free_csum() frees the csum of the io_bio (which is a struct btrfs_io_bio). -- Johannes Thumshirn SUSE Labs Filesystems jthumshirn@xxxxxxx +49 911 74053 689 SUSE Software Solutions Germany GmbH Maxfeldstr. 5 90409 Nürnberg Germany (HRB 36809, AG Nürnberg) Geschäftsführer: Felix Imendörffer Key fingerprint = EC38 9CAB C2C4 F25D 8600 D0D0 0393 969D 2D76 0850
