aio: hold an extra file reference over AIO read/write operations

Otherwise we might dereference an already freed file and/or inode
when aio_complete is called before we return from the read_iter or
write_iter method.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
(cherry picked from commit 0b944d3a4bba6b25f43aed530f4fa85c04d162a6)
Change-Id: I628a87b5036ba1ba5ba5152fa0329d02999d3649
Git-Commit: 0b944d3a4bba6b25f43aed530f4fa85c04d162a6
Git-Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git
[riteshh@codeaurora.org: resolve trivial merge conflicts]
Signed-off-by: Ritesh Harjani <riteshh@codeaurora.org>

diff --git a/fs/aio.c b/fs/aio.c
index c4b5086..3fe0757 100644 (file)
--- a/fs/aio.c
+++ b/fs/aio.c
@@ -1470,6 +1470,7 @@ rw_common:
 
                len = ret;
 
+               get_file(file);
                if (rw == WRITE)
                        file_start_write(file);
 
@@ -1477,6 +1478,7 @@ rw_common:
 
                if (rw == WRITE)
                        file_end_write(file);
+               fput(file);
                kfree(iovec);
                break;