[Drbd-dev] [PATCH v2] drbd: fix a race of drbd_free_peer_req

[Rui Xu]

Commit e061feb8 and 9a11ebeb5 introduce a bug to race with drbd_free_peer_req()
in got_peer_ack.

drbd_free_page_chain in drbd_finish_peer_reqs and got_peer_ack may happen
concurrently， the sequence is as follows:

drbd_finish_peer_reqs                 got_peer_ack
drbd_free_page_chain                  drbd_free_peer_req
spin_lock()
page_chain_add
spin_unlock()                         spin_lock()
                                      page_chain_add
                                      spin_unlock()

We can see that page_chain_add will be called twice which will lead
to crash.

Swap drbd_may_finish_epoch() and drbd_free_page_chain() in e_end_block()
to ensure that got_peer_ack will not be called while still processing
the request in drbd_finish_peer_reqs().

Signed-off-by: Rui Xu <rui.xu at easystack.cn>
---
 drbd/drbd_receiver.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drbd/drbd_receiver.c b/drbd/drbd_receiver.c
index f077f2b..d0f42d3 100644
--- a/drbd/drbd_receiver.c
+++ b/drbd/drbd_receiver.c
@@ -2560,9 +2560,10 @@ static int e_end_block(struct drbd_work *w, int cancel)
 	} else
 		D_ASSERT(device, drbd_interval_empty(&peer_req->i));
 
+	drbd_free_page_chain(&peer_device->connection->transport, &peer_req->page_chain, 0);
+
 	drbd_may_finish_epoch(peer_device->connection, peer_req->epoch, EV_PUT + (cancel ? EV_CLEANUP : 0));
 
-	drbd_free_page_chain(&peer_device->connection->transport, &peer_req->page_chain, 0);
 	return err;
 }
 
-- 
1.8.3.1