From 6b3c73b3dc2a4ce5cc372a21f55767cd0d8c6c07 Mon Sep 17 00:00:00 2001
From: Kent Overstreet <kent.overstreet@gmail.com>
Date: Mon, 16 Mar 2020 14:49:52 -0400
Subject: bcachefs: Fix a use after free in dio write path

Signed-off-by: Kent Overstreet <kent.overstreet@gmail.com>
---
 fs/bcachefs/fs-io.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/fs/bcachefs/fs-io.c b/fs/bcachefs/fs-io.c
index 92fa72cb3216..ec46be3b646b 100644
--- a/fs/bcachefs/fs-io.c
+++ b/fs/bcachefs/fs-io.c
@@ -1807,7 +1807,7 @@ static long bch2_dio_write_loop(struct dio_write *dio)
 	struct bio_vec *bv;
 	unsigned unaligned;
 	u64 new_i_size;
-	bool sync;
+	bool sync = dio->sync;
 	long ret;
 
 	if (dio->loop)
@@ -1855,7 +1855,7 @@ static long bch2_dio_write_loop(struct dio_write *dio)
 				iov = kmalloc(dio->iter.nr_segs * sizeof(*iov),
 					      GFP_KERNEL);
 				if (unlikely(!iov)) {
-					dio->sync = true;
+					dio->sync = sync = true;
 					goto do_io;
 				}
 
@@ -1869,7 +1869,7 @@ do_io:
 		dio->loop = true;
 		closure_call(&dio->op.cl, bch2_write, NULL, NULL);
 
-		if (dio->sync)
+		if (sync)
 			wait_for_completion(&dio->done);
 		else
 			return -EIOCBQUEUED;
@@ -1903,7 +1903,6 @@ err:
 	if (dio->free_iov)
 		kfree(dio->iter.iov);
 
-	sync = dio->sync;
 	bio_put(bio);
 
 	/* inode->i_dio_count is our ref on inode and thus bch_fs */
-- 
cgit v1.2.3