On Thu, Dec 12, 2019 at 10:56:48AM +0100, Johannes Thumshirn wrote: > On 12/12/2019 10:49, Christoph Hellwig wrote: > >> @@ -8230,9 +8228,8 @@ static void btrfs_endio_direct_read(struct bio *bio) > >> kfree(dip); > >> > >> dio_bio->bi_status = err; > >> - dio_end_io(dio_bio); > >> + bio_endio(dio_bio); > >> btrfs_io_bio_free_csum(io_bio); > >> - bio_put(bio); > > > > I'm not a btrfs export, but doesn't this introduce a use after free > > as bio_endio also frees io_bio? > > No that's ok, as the bio_endio() frees the dio_bio, while > btrfs_io_bio_free_csum() frees the csum of the io_bio (which is a struct > btrfs_io_bio). So who frees the io_bio and its embedded bio?
