From mboxrd@z Thu Jan  1 00:00:00 1970
From: Xiaotian Feng <dfeng@redhat.com>
Subject: Re: [PATCH] direct_io: fix use after free in __blockdev_direct_IO
Date: Thu, 17 Dec 2009 17:34:09 +0800
Message-ID: <4B29FB11.5060100@redhat.com>
References: <1261039772-18403-1-git-send-email-dfeng@redhat.com> <20091217092942.GX14381@ZenIV.linux.org.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
	Jens Axboe <jens.axboe@oracle.com>,
	Jeff Moyer <jmoyer@redhat.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	Nikanth Karthikesan <knikanth@suse.de>,
	Zach Brown <zach.brown@oracle.com>
To: Al Viro <viro@ZenIV.linux.org.uk>
Return-path: <linux-kernel-owner+glk-linux-kernel-3=40m.gmane.org-S1764238AbZLQJec@vger.kernel.org>
In-Reply-To: <20091217092942.GX14381@ZenIV.linux.org.uk>
Sender: linux-kernel-owner@vger.kernel.org
List-Id: linux-fsdevel.vger.kernel.org

On 12/17/2009 05:29 PM, Al Viro wrote:
> On Thu, Dec 17, 2009 at 04:49:32PM +0800, Xiaotian Feng wrote:
>> @@ -1197,7 +1200,11 @@ __blockdev_direct_IO(int rw, struct kiocb *iocb, struct inode *inode,
>>   		(end>  i_size_read(inode)));
>>
>>   	retval = direct_io_worker(rw, iocb, inode, iov, offset,
>> -				nr_segs, blkbits, get_block, end_io, dio);
>> +				  nr_segs, blkbits, get_block, end_io,
>> +				  dio,&dio_freed);
>> +
>> +	if (dio_freed)
>> +		goto out;
>
> Um... I'm not sure that this would be the right fix.  How about simple
> s/dio->flags/flags/ in the line below?
Yes, dio->flags is not changed in direct_io_worker(), your method is 
better, thanks.