[DRBD-user] drbd connection dying badly, ever-rising load, requiring hard machine reset

[Jasmin J.]

Hi!

 > FWIW, you need that fix in drbd 9 too.
I recently found this during a code review and submitted a patch already.
    http://lists.linbit.com/pipermail/drbd-user/2016-November/023392.html
The archive doesn't save attachments, so I added the patch again.

You may check it and an "Acked-by", if you like.

BR,
    Jasmin
-------------- next part --------------
>From 36f1ffa748c57c262a8375cc4c37803ef28d51fc Mon Sep 17 00:00:00 2001
From: Jasmin Jessich <jasmin at anw.at>
Date: Sun, 27 Nov 2016 02:52:33 +0100
Subject: [PATCH] drbd9: Fix kernel_sendmsg() usage - potential NULL deref

Don't pass a size larger than iov_len to kernel_sendmsg().
Otherwise it will cause a NULL pointer deref when kernel_sendmsg()
returns with rv < size.

I found this during a recent code review triggered by a email on the
drbd-user mailing list. It is a simple port of this commit
http://git.drbd.org/drbd-8.4.git/commit/e0645836e870346cafe688cbdd8ec29092f6cdb5

Signed-off-by: Jasmin Jessich <jasmin at anw.at>
---
 drbd/drbd_transport_tcp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drbd/drbd_transport_tcp.c b/drbd/drbd_transport_tcp.c
index f7e937f..ed2ff8e 100644
--- a/drbd/drbd_transport_tcp.c
+++ b/drbd/drbd_transport_tcp.c
@@ -229,7 +229,7 @@ static int _dtt_send(struct drbd_tcp_transport *tcp_transport, struct socket *so
  * do we need to block DRBD_SIG if sock == &meta.socket ??
  * otherwise wake_asender() might interrupt some send_*Ack !
  */
-		rv = kernel_sendmsg(socket, &msg, &iov, 1, size);
+		rv = kernel_sendmsg(socket, &msg, &iov, 1, iov.iov_len);
 		if (rv == -EAGAIN) {
 			struct drbd_transport *transport = &tcp_transport->transport;
 			enum drbd_stream stream =
-- 
1.9.1