bcachefs: fix uaf in bch2_dio_write_done()

Reported-by: syzbot+19ad84d5133871207377@syzkaller.appspotmail.com Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>
author: Kent Overstreet <kent.overstreet@linux.dev> 2024-10-12 15:38:33 -0400
committer: Kent Overstreet <kent.overstreet@linux.dev> 2024-10-13 17:55:33 -0400
commit: 573ddcdc56077615f8db045cd06b44dd8fc01f4b (patch)
tree: 01d5cf667065979072b1b91224e547b1c856010a
parent: c986dd7ecba185ad2a36b0815940f34deb2a8170 (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/fs/bcachefs/fs-io-direct.c b/fs/bcachefs/fs-io-direct.c
index ee1c0325f313..6d3a05ae5da8 100644
--- a/fs/bcachefs/fs-io-direct.c
+++ b/fs/bcachefs/fs-io-direct.c
@@ -369,6 +369,7 @@ static noinline void bch2_dio_write_flush(struct dio_write *dio)
 
 static __always_inline long bch2_dio_write_done(struct dio_write *dio)
 {
+	struct bch_fs *c = dio->op.c;
 	struct kiocb *req = dio->req;
 	struct bch_inode_info *inode = dio->inode;
 	bool sync = dio->sync;
@@ -387,7 +388,7 @@ static __always_inline long bch2_dio_write_done(struct dio_write *dio)
 	ret = dio->op.error ?: ((long) dio->written << 9);
 	bio_put(&dio->op.wbio.bio);
 
-	bch2_write_ref_put(dio->op.c, BCH_WRITE_REF_dio_write);
+	bch2_write_ref_put(c, BCH_WRITE_REF_dio_write);
 
 	/* inode->i_dio_count is our ref on inode and thus bch_fs */
 	inode_dio_end(&inode->v);
author	Kent Overstreet <kent.overstreet@linux.dev>	2024-10-12 15:38:33 -0400
committer	Kent Overstreet <kent.overstreet@linux.dev>	2024-10-13 17:55:33 -0400
commit	573ddcdc56077615f8db045cd06b44dd8fc01f4b (patch)
tree	01d5cf667065979072b1b91224e547b1c856010a
parent	c986dd7ecba185ad2a36b0815940f34deb2a8170 (diff)