performance/write-behind: fix use after free in readdirp_cbk

wb_inode->lock is accessed after inode_unref (inode), which is a use-after-free as the inode_unref can potentially free up the inode and hence the inode-ctx (wb_inode). Instead inode_unref has to happen after the last access of wb_inode. Change-Id: Ie1a8bb5e44a668578e7d6bcedc77df52618a36e2 Signed-off-by: Raghavendra G <rgowdapp@redhat.com> Fixes: bz#1691292
author: Raghavendra G <rgowdapp@redhat.com> 2019-03-21 16:37:30 +0530
committer: Raghavendra G <rgowdapp@redhat.com> 2019-03-27 10:48:12 +0530
commit: 0d8668cb44550163eb8d4111006a105a6826bdbb (patch)
tree: 6b60f80af63e5795a872f6e5c8c6a033f738153f
parent: 7cbf23bbc61879e7af70bbb2b42951a73966f3c6 (diff)
1 files changed, 5 insertions, 2 deletions
diff --git a/xlators/performance/write-behind/src/write-behind.c b/xlators/performance/write-behind/src/write-behind.c
index c80f0e7e271..6093ec2d7a1 100644
--- a/xlators/performance/write-behind/src/write-behind.c
+++ b/xlators/performance/write-behind/src/write-behind.c
@@ -2494,11 +2494,14 @@ wb_readdirp_cbk (call_frame_t *frame, void *cookie, xlator_t *this,
                                 entry->inode = NULL;
                                 memset (&entry->d_stat, 0,
                                         sizeof (entry->d_stat));
-
-                                inode_unref (inode);
                         }
                 }
                 UNLOCK (&wb_inode->lock);
+
+                if (inode) {
+                        inode_unref (inode);
+                        inode = NULL;
+                }
         }
 
 unwind:
author	Raghavendra G <rgowdapp@redhat.com>	2019-03-21 16:37:30 +0530
committer	Raghavendra G <rgowdapp@redhat.com>	2019-03-27 10:48:12 +0530
commit	0d8668cb44550163eb8d4111006a105a6826bdbb (patch)
tree	6b60f80af63e5795a872f6e5c8c6a033f738153f
parent	7cbf23bbc61879e7af70bbb2b42951a73966f3c6 (diff)