On Wed, Mar 28, 2018 at 09:26:36AM +0200, Christoph Hellwig wrote: > + struct inode *inode = file_inode(file); > + > req->ki_flags |= IOCB_WRITE; > file_start_write(file); > - ret = aio_ret(req, call_write_iter(file, req, &iter)); > + ret = aio_rw_ret(req, call_write_iter(file, req, &iter)); > /* > - * We release freeze protection in aio_complete(). Fool lockdep > - * by telling it the lock got released so that it doesn't > - * complain about held lock when we return to userspace. > + * We release freeze protection in aio_complete_rw(). Fool > + * lockdep by telling it the lock got released so that it > + * doesn't complain about held lock when we return to userspace. > */ > - if (S_ISREG(file_inode(file)->i_mode)) > - __sb_writers_release(file_inode(file)->i_sb, > SB_FREEZE_WRITE); > + if (S_ISREG(inode->i_mode))
... and that's another use-after-free, since we might've already done fput() of that sucker by that point. > + __sb_writers_release(inode->i_sb, SB_FREEZE_WRITE);
