[Drbd-dev] [PATCH] Fixed possible use after free in drbd_thread_setup

johannes at johannesthoma.com johannes at johannesthoma.com
Thu Dec 21 18:53:30 CET 2017


From: Johannes Thoma <johannes at johannesthoma.com>

drbd_thread might already be freed when complete returns,
hence we shouldn't access the drbd_thread object (thi)
after calling complete().

I am not 100% sure if this creates any further races,
alternative would be to acquire the lock before freeing
the thread object (so that spin_unlock_irqrestore() has
exited already). Please let me know what you think.

Signed-off-by: Johannes Thoma <johannes at johannesthoma.com>
---
 drbd/drbd_main.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drbd/drbd_main.c b/drbd/drbd_main.c
index a2b5683..dbf2e41 100644
--- a/drbd/drbd_main.c
+++ b/drbd/drbd_main.c
@@ -563,8 +563,8 @@ restart:
 	else
 		drbd_info(resource, "Terminating %s thread\n", thi->name);
 
-	complete(&thi->stop);
 	spin_unlock_irqrestore(&thi->t_lock, flags);
+	complete(&thi->stop);
 
 	if (connection)
 		kref_put(&connection->kref, drbd_destroy_connection);
-- 
2.8.0-rc4



More information about the drbd-dev mailing list