diff options
| author | Lars Ellenberg <lars.ellenberg@linbit.com> | 2012-06-19 09:40:00 +0200 | 
|---|---|---|
| committer | Philipp Reisner <philipp.reisner@linbit.com> | 2012-07-24 14:15:16 +0200 | 
| commit | c12e9c8964215aaf2b5dcd06048444c2b672f0b9 (patch) | |
| tree | a13c5561ad0325ca247f4c1d9d0b7770da0c64bb /net/tipc/socket.c | |
| parent | 63a6d0bb3dd69afedb2b2952eb1d1e8340c11d0d (diff) | |
drbd: fix potential access after free
Occasionally, if we disconnect, we triggered this assert:
  block drbd7: ASSERT FAILED tl_hash[27] == c30b0f04, expected NULL
hlist_del() happens only on master bio completion.
We used to wait for pending IO to complete before freeing tl_hash
on disconnect. We no longer do so, since we learned to "freeze"
IO on disconnect.
If the local disk is too slow, we may reach C_STANDALONE early,
and there are still some requests pending locally when we call
drbd_free_tl_hash().
If we now free the tl_hash, and later the local IO completion completes
the master bio, which then does hlist_del() and clobbers freed memory.
Do hlist_del_init() and hlist_add_fake() before kfree(tl_hash),
so the hlist_del() on master bio completion is harmless.
Signed-off-by: Philipp Reisner <philipp.reisner@linbit.com>
Signed-off-by: Lars Ellenberg <lars.ellenberg@linbit.com>
Diffstat (limited to 'net/tipc/socket.c')
0 files changed, 0 insertions, 0 deletions
