From e293dc860cad0a7dbca3e37d0031cc7a1e2a6c59 Mon Sep 17 00:00:00 2001
From: Alan Cox <alc@FreeBSD.org>
Date: Thu, 2 Jun 2005 23:14:38 +0000
Subject: [PATCH] In aio_waitcomplete() correct two cases of using an aiocb
 after freeing it.

---
 sys/kern/vfs_aio.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/sys/kern/vfs_aio.c b/sys/kern/vfs_aio.c
index ff700aa3808..3cff7997d62 100644
--- a/sys/kern/vfs_aio.c
+++ b/sys/kern/vfs_aio.c
@@ -2246,17 +2246,19 @@ aio_waitcomplete(struct thread *td, struct aio_waitcomplete_args *uap)
 				p->p_stats->p_ru.ru_inblock += cb->inputcharge;
 				cb->inputcharge = 0;
 			}
+			error = cb->uaiocb._aiocb_private.error;
 			aio_free_entry(cb);
-			return (cb->uaiocb._aiocb_private.error);
+			return (error);
 		}
 
 		s = splbio();
  		if ((cb = TAILQ_FIRST(&ki->kaio_bufdone)) != 0 ) {
 			splx(s);
 			suword(uap->aiocbp, (uintptr_t)cb->uuaiocb);
+			error = cb->uaiocb._aiocb_private.error;
 			td->td_retval[0] = cb->uaiocb._aiocb_private.status;
 			aio_free_entry(cb);
-			return (cb->uaiocb._aiocb_private.error);
+			return (error);
 		}
 
 		ki->kaio_flags |= KAIO_WAKEUP;