aio: hold an extra file reference over AIO read/write operations

Otherwise we might dereference an already freed file and/or inode when aio_complete is called before we return from the read_iter or write_iter method. Signed-off-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2016-10-30 11:42:01 -05:00 · 2016-10-30 11:42:01 -05:00 · 0b944d3a4b
--- a/fs/aio.c
+++ b/fs/aio.c
@ -1460,6 +1460,7 @@ rw_common:
 			return ret;
 		}

+		get_file(file);
 		if (rw == WRITE)
 			file_start_write(file);

@ -1467,6 +1468,7 @@ rw_common:

 		if (rw == WRITE)
 			file_end_write(file);
+		fput(file);
 		kfree(iovec);
 		break;