[DRBD-user] drbd connection dying badly, ever-rising load, requiring hard machine reset

Jasmin J. jasmin at anw.at
Wed Nov 30 09:24:56 CET 2016

Note: "permalinks" may not be as permanent as we would like,
direct links of old sources may well be a few messages off.


 > FWIW, you need that fix in drbd 9 too.
I recently found this during a code review and submitted a patch already.
The archive doesn't save attachments, so I added the patch again.

You may check it and an "Acked-by", if you like.

-------------- next part --------------
>From 36f1ffa748c57c262a8375cc4c37803ef28d51fc Mon Sep 17 00:00:00 2001
From: Jasmin Jessich <jasmin at anw.at>
Date: Sun, 27 Nov 2016 02:52:33 +0100
Subject: [PATCH] drbd9: Fix kernel_sendmsg() usage - potential NULL deref

Don't pass a size larger than iov_len to kernel_sendmsg().
Otherwise it will cause a NULL pointer deref when kernel_sendmsg()
returns with rv < size.

I found this during a recent code review triggered by a email on the
drbd-user mailing list. It is a simple port of this commit

Signed-off-by: Jasmin Jessich <jasmin at anw.at>
 drbd/drbd_transport_tcp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drbd/drbd_transport_tcp.c b/drbd/drbd_transport_tcp.c
index f7e937f..ed2ff8e 100644
--- a/drbd/drbd_transport_tcp.c
+++ b/drbd/drbd_transport_tcp.c
@@ -229,7 +229,7 @@ static int _dtt_send(struct drbd_tcp_transport *tcp_transport, struct socket *so
  * do we need to block DRBD_SIG if sock == &meta.socket ??
  * otherwise wake_asender() might interrupt some send_*Ack !
-		rv = kernel_sendmsg(socket, &msg, &iov, 1, size);
+		rv = kernel_sendmsg(socket, &msg, &iov, 1, iov.iov_len);
 		if (rv == -EAGAIN) {
 			struct drbd_transport *transport = &tcp_transport->transport;
 			enum drbd_stream stream =

More information about the drbd-user mailing list