Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 1d53f09e authored by Lars Ellenberg's avatar Lars Ellenberg Committed by Philipp Reisner
Browse files

drbd: fix potential kernel BUG (NULL deref) 



BUG trace would look like:
 lc_find
 drbd_rs_complete_io
 got_OVResult
 drbd_asender

Could be triggered by explicit, or IO-error policy based,
detach during online-verify.

We may only dereference mdev->resync, if we first get_ldev(), as the
disk may break any time, causing mdev->resync to disappear once all
ldev references have been returned.
Already in flight online-verify requests or replies may still come in,
which we then need to ignore.

Signed-off-by: default avatarPhilipp Reisner <philipp.reisner@linbit.com>
Signed-off-by: default avatarLars Ellenberg <lars.ellenberg@linbit.com>
parent 435f0740

drivers/block/drbd/drbd_receiver.c

+11 −4
Original line number Diff line number Diff line
@@ -4241,10 +4241,13 @@ static int got_IsInSync(struct drbd_conf *mdev, struct p_header80 *h) 


	update_peer_seq(mdev, be32_to_cpu(p->seq_num));



	if (get_ldev(mdev)) {

		drbd_rs_complete_io(mdev, sector);

		drbd_set_in_sync(mdev, sector, blksize);

		/* rs_same_csums is supposed to count in units of BM_BLOCK_SIZE */

		mdev->rs_same_csum += (blksize >> BM_BLOCK_SHIFT);

		put_ldev(mdev);

	}

	dec_rs_pending(mdev);

	atomic_add(blksize >> 9, &mdev->rs_sect_in);
@@ -4423,6 +4426,9 @@ static int got_OVResult(struct drbd_conf *mdev, struct p_header80 *h) 
	else

		ov_oos_print(mdev);



	if (!get_ldev(mdev))

		return TRUE;



	drbd_rs_complete_io(mdev, sector);

	dec_rs_pending(mdev);
@@ -4437,6 +4443,7 @@ static int got_OVResult(struct drbd_conf *mdev, struct p_header80 *h) 
			drbd_resync_finished(mdev);

		}

	}

	put_ldev(mdev);

	return TRUE;

}

drivers/block/drbd/drbd_worker.c

+8 −2
Original line number Diff line number Diff line
@@ -1027,7 +1027,10 @@ int w_e_end_csum_rs_req(struct drbd_conf *mdev, struct drbd_work *w, int cancel) 
		return 1;

	}



	if (get_ldev(mdev)) {

		drbd_rs_complete_io(mdev, e->sector);

		put_ldev(mdev);

	}



	di = e->digest;
@@ -1134,7 +1137,10 @@ int w_e_end_ov_reply(struct drbd_conf *mdev, struct drbd_work *w, int cancel) 


	/* after "cancel", because after drbd_disconnect/drbd_rs_cancel_all

	 * the resync lru has been cleaned up already */

	if (get_ldev(mdev)) {

		drbd_rs_complete_io(mdev, e->sector);

		put_ldev(mdev);

	}



	di = e->digest;