bcachefs: Fix a use after free

op->end_io may free the op struct

Signed-off-by: Kent Overstreet <kent.overstreet@gmail.com>
Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>

diff --git a/fs/bcachefs/io.c b/fs/bcachefs/io.c
index 4b54506b517c544fcf9cc579d14c97db063998bc..dd8f356f3ef0375c267316965f2e3d704ed79770 100644 (file)
--- a/fs/bcachefs/io.c
+++ b/fs/bcachefs/io.c
@@ -516,12 +516,13 @@ static void bch2_write_done(struct closure *cl)
 
        bch2_time_stats_update(&c->times[BCH_TIME_data_write], op->start_time);
 
-       if (op->end_io)
+       if (op->end_io) {
+               EBUG_ON(cl->parent);
+               closure_debug_destroy(cl);
                op->end_io(op);
-       if (cl->parent)
+       } else {
                closure_return(cl);
-       else
-               closure_debug_destroy(cl);
+       }
 }
 
 /**
@@ -1234,12 +1235,14 @@ void bch2_write(struct closure *cl)
 err:
        if (!(op->flags & BCH_WRITE_NOPUT_RESERVATION))
                bch2_disk_reservation_put(c, &op->res);
-       if (op->end_io)
+
+       if (op->end_io) {
+               EBUG_ON(cl->parent);
+               closure_debug_destroy(cl);
                op->end_io(op);
-       if (cl->parent)
+       } else {
                closure_return(cl);
-       else
-               closure_debug_destroy(cl);
+       }
 }
 
 /* Cache promotion on read */