diff options
| author | Lars Ellenberg <[email protected]> | 2012-06-19 07:40:00 +0000 |
|---|---|---|
| committer | Philipp Reisner <[email protected]> | 2012-07-24 12:15:16 +0000 |
| commit | c12e9c8964215aaf2b5dcd06048444c2b672f0b9 (patch) | |
| tree | a13c5561ad0325ca247f4c1d9d0b7770da0c64bb /net/unix/af_unix.c | |
| parent | drbd: call local-io-error handler early (diff) | |
| download | kernel-c12e9c8964215aaf2b5dcd06048444c2b672f0b9.tar.gz kernel-c12e9c8964215aaf2b5dcd06048444c2b672f0b9.zip | |
drbd: fix potential access after free
Occasionally, if we disconnect, we triggered this assert:
block drbd7: ASSERT FAILED tl_hash[27] == c30b0f04, expected NULL
hlist_del() happens only on master bio completion.
We used to wait for pending IO to complete before freeing tl_hash
on disconnect. We no longer do so, since we learned to "freeze"
IO on disconnect.
If the local disk is too slow, we may reach C_STANDALONE early,
and there are still some requests pending locally when we call
drbd_free_tl_hash().
If we now free the tl_hash, and later the local IO completion completes
the master bio, which then does hlist_del() and clobbers freed memory.
Do hlist_del_init() and hlist_add_fake() before kfree(tl_hash),
so the hlist_del() on master bio completion is harmless.
Signed-off-by: Philipp Reisner <[email protected]>
Signed-off-by: Lars Ellenberg <[email protected]>
Diffstat (limited to 'net/unix/af_unix.c')
0 files changed, 0 insertions, 0 deletions