From: Al Viro <v...@zeniv.linux.org.uk>
"aio: remove the extra get_file/fput pair in io_submit_one" was
too optimistic - not dereferencing file pointer after e.g.
->write_iter() returns is not enough; that reference might've been
the only thing that kept alive objects that are referenced
*before* the method returns. Such as inode, for example...
Signed-off-by: Al Viro <v...@zeniv.linux.org.uk>
---
fs/aio.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/fs/aio.c b/fs/aio.c
index 3d9669d011b9..ea30b78187ed 100644
--- a/fs/aio.c
+++ b/fs/aio.c
@@ -1790,6 +1790,7 @@ static int __io_submit_one(struct kioctx *ctx, const
struct iocb *iocb,
struct iocb __user *user_iocb, bool compat)
{
struct aio_kiocb *req;
+ struct file *file;
ssize_t ret;
/* enforce forwards compatibility on users */
@@ -1844,6 +1845,7 @@ static int __io_submit_one(struct kioctx *ctx, const
struct iocb *iocb,
req->ki_user_iocb = user_iocb;
req->ki_user_data = iocb->aio_data;
+ file = get_file(req->ki_filp); /* req can die too early */
switch (iocb->aio_lio_opcode) {
case IOCB_CMD_PREAD:
@@ -1872,6 +1874,7 @@ static int __io_submit_one(struct kioctx *ctx, const
struct iocb *iocb,
ret = -EINVAL;
break;
}
+ fput(file);
/*
* If ret is 0, we'd either done aio_complete() ourselves or have
--
2.11.0
