It's possible to have outstanding xfs_ioend_t's queued when the file
size is zero. This can happen in the direct I/O path when a direct
I/O write fails due to ENOSPC. In this case the xfs_ioend_t will still
be queued (ie xfs_end_io_direct() does not know that the I/O failed so
can't force the xfs_ioend_t to be flushed synchronously).
When we truncate a file on unlink we don't know to wait for these
xfs_ioend_ts and we can have a use-after-free situation if the inode
is reclaimed before the xfs_ioend_t is finally processed.
As was suggested by Dave Chinner lets wait for all I/Os to complete
when truncating the file size to zero.
--- a/fs/xfs/xfs_inode.c 2008-09-23 14:18:27.000000000 +1000
+++ b/fs/xfs/xfs_inode.c 2008-09-23 13:53:16.000000000 +1000
@@ -1449,7 +1449,7 @@ xfs_itruncate_start(
mp = ip->i_mount;
/* wait for the completion of any pending DIOs */
- if (new_size < ip->i_size)
+ if (new_size == 0 || new_size < ip->i_size)
vn_iowait(ip);
/*
|