iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
7c752ed325
linux/drivers/block/drbd
History
Lars Ellenberg 7c752ed325 drbd: fix potential get_ldev/put_ldev refcount imbalance during attach 
Race:

drbd_adm_attach()               | async drbd_md_endio()
                                |
device->ldev is still NULL.     |
                                |
drbd_md_read(                   |
 .endio = drbd_md_endio;        |
 submit;                        |
 ....                           |
 wait for done == 1;            |       done = 1;
);                              |       wake_up();
.. lot of other stuff,          |
.. includeing taking and        |
...giving up locks,             |
.. doing further IO,            |
.. stuff that takes "some time" |
                                | while in this context,
                                | this is the next statement.
                                | which means this context was scheduled
.. only then, finally,          | away for "some time".
device->ldev = nbc;             |
                                |       if (device->ldev)
                                |               put_ldev()

Unlikely, but possible. I was able to provoke it "reliably"
by adding an mdelay(500); after the wake_up().
Fixed by moving the if (!NULL) put_ldev() before done = 1;

Impact of the bug was that the resulting refcount imbalance
could lead to premature destruction of the object, potentially
causing a NULL pointer dereference during a subsequent detach.

Signed-off-by: Philipp Reisner <philipp.reisner@linbit.com>
Signed-off-by: Lars Ellenberg <lars.ellenberg@linbit.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2017-08-29 15:34:45 -06:00
..
drbd_actlog.c block: replace bi_bdev with a gendisk pointer and partitions index 2017-08-23 12:49:55 -06:00
drbd_bitmap.c block: replace bi_bdev with a gendisk pointer and partitions index 2017-08-23 12:49:55 -06:00
drbd_debugfs.c drbd: make intelligent use of blkdev_issue_zeroout 2017-04-08 11:25:38 -06:00
drbd_debugfs.h drbd: debugfs: add basic hierarchy 2014-07-10 18:35:16 +02:00
drbd_int.h drbd: introduce drbd_recv_header_maybe_unplug 2017-08-29 15:34:43 -06:00
drbd_interval.c drbd: use RB_DECLARE_CALLBACKS() to define augment callbacks 2014-09-18 09:00:17 -06:00
drbd_interval.h drbd: code cleanups without semantic changes 2016-06-13 21:43:07 -06:00
drbd_main.c drbd: mark symbols static where possible 2017-08-29 15:34:44 -06:00
drbd_nl.c drbd: new disk-option disable-write-same 2017-08-29 15:34:44 -06:00
drbd_nla.c netlink: pass extended ACK struct to parsing functions 2017-04-13 13:58:22 -04:00
drbd_nla.h drbd: Split off netlink mandatory attribute handling into separate file 2012-11-08 16:57:45 +01:00
drbd_proc.c block: Use pointer to backing_dev_info from request_queue 2017-02-02 08:20:48 -07:00
drbd_protocol.h drbd: introduce WRITE_SAME support 2016-06-13 21:43:07 -06:00
drbd_receiver.c drbd: mark symbols static where possible 2017-08-29 15:34:44 -06:00
drbd_req.c drbd: add explicit plugging when submitting batches 2017-08-29 15:34:44 -06:00
drbd_req.h drbd: introduce drbd_recv_header_maybe_unplug 2017-08-29 15:34:43 -06:00
drbd_state_change.h drbd: Backport the "events2" command 2015-11-25 09:22:00 -07:00
drbd_state.c drbd: Fix resource role for newly created resources in events2 2017-08-29 15:34:44 -06:00
drbd_state.h drbd: code cleanups without semantic changes 2016-06-13 21:43:07 -06:00
drbd_strings.c drbd: code cleanups without semantic changes 2016-06-13 21:43:07 -06:00
drbd_strings.h drbd: Move string function prototypes from linux/drbd.h to drbd_string.h 2014-02-17 16:50:37 +01:00
drbd_vli.h
drbd_worker.c drbd: fix potential get_ldev/put_ldev refcount imbalance during attach 2017-08-29 15:34:45 -06:00
Kconfig drbd: update Kconfig to match current dependencies 2012-12-06 13:08:29 +01:00
Makefile drbd: debugfs: add basic hierarchy 2014-07-10 18:35:16 +02:00