Commit f65363cf authored Sep 14, 2010 by Lars Ellenberg Committed by Philipp Reisner Oct 14, 2010

drbd: fix possible access after free



If we release the page pointed to by md_io_tmpp, we need to zero out the
pointer, too, as that may be used later to decide whether we need to
allocate a new page again.

Impact: a previously freed page may be used and clobbered.  Depending on
what that particular page is being used for meanwhile, this may result
in silent data corruption of completely unrelated things.

Only of concern on devices with logical_block_size != 512 byte,
if you re-attach after becoming diskless once.

Signed-off-by: Philipp Reisner <philipp.reisner@linbit.com>
Signed-off-by: Lars Ellenberg <lars.ellenberg@linbit.com>

parent 8979d9c9

drivers/block/drbd/drbd_main.c

+3 −1

Original line number	Original line	Diff line number	Diff line
	@@ -1407,8 +1407,10 @@ static void after_state_ch(struct drbd_conf *mdev, union drbd_state os,
	drbd_free_bc(mdev->ldev);		drbd_free_bc(mdev->ldev);
	mdev->ldev = NULL;);		mdev->ldev = NULL;);

	if (mdev->md_io_tmpp)		if (mdev->md_io_tmpp) {
	__free_page(mdev->md_io_tmpp);		__free_page(mdev->md_io_tmpp);
			mdev->md_io_tmpp = NULL;
			}
	}		}

	/* Disks got bigger while they were detached */		/* Disks got bigger while they were detached */