From 0d8668cb44550163eb8d4111006a105a6826bdbb Mon Sep 17 00:00:00 2001
From: Raghavendra G <rgowdapp@redhat.com>
Date: Thu, 21 Mar 2019 16:37:30 +0530
Subject: performance/write-behind: fix use after free in readdirp_cbk

wb_inode->lock is accessed after inode_unref (inode), which is a
use-after-free as the inode_unref can potentially free up the inode
and hence the inode-ctx (wb_inode). Instead inode_unref has to happen
after the last access of wb_inode.

Change-Id: Ie1a8bb5e44a668578e7d6bcedc77df52618a36e2
Signed-off-by: Raghavendra G <rgowdapp@redhat.com>
Fixes: bz#1691292
---
 xlators/performance/write-behind/src/write-behind.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/xlators/performance/write-behind/src/write-behind.c b/xlators/performance/write-behind/src/write-behind.c
index c80f0e7e271..6093ec2d7a1 100644
--- a/xlators/performance/write-behind/src/write-behind.c
+++ b/xlators/performance/write-behind/src/write-behind.c
@@ -2494,11 +2494,14 @@ wb_readdirp_cbk (call_frame_t *frame, void *cookie, xlator_t *this,
                                 entry->inode = NULL;
                                 memset (&entry->d_stat, 0,
                                         sizeof (entry->d_stat));
-
-                                inode_unref (inode);
                         }
                 }
                 UNLOCK (&wb_inode->lock);
+
+                if (inode) {
+                        inode_unref (inode);
+                        inode = NULL;
+                }
         }
 
 unwind:
-- 
cgit