drbd: Fixed a race between disk-attach and unexpected state changes
authorPhilipp Reisner <philipp.reisner@linbit.com>
Wed, 2 Jun 2010 12:31:29 +0000 (14:31 +0200)
committerPhilipp Reisner <philipp.reisner@linbit.com>
Mon, 14 Jun 2010 10:19:41 +0000 (12:19 +0200)
This was a very hard to trigger race condition.

If we got a state packet from the peer, after drbd_nl_disk() has
already changed the disk state to D_NEGOTIATING but
after_state_ch() was not yet run by the worker, then receive_state()
might called drbd_sync_handshake(), which in turn crashed
when accessing p_uuid.

Signed-off-by: Philipp Reisner <philipp.reisner@linbit.com>
Signed-off-by: Lars Ellenberg <lars.ellenberg@linbit.com>
drivers/block/drbd/drbd_main.c
drivers/block/drbd/drbd_nl.c
include/linux/drbd.h

index 6b077f93acc620eaf40fa85599dbe83745779c28..7258c95e895e3c3ff7c91bdc3660154d55061413 100644 (file)
@@ -1236,8 +1236,6 @@ static void after_state_ch(struct drbd_conf *mdev, union drbd_state os,
        /* Last part of the attaching process ... */
        if (ns.conn >= C_CONNECTED &&
            os.disk == D_ATTACHING && ns.disk == D_NEGOTIATING) {
-               kfree(mdev->p_uuid); /* We expect to receive up-to-date UUIDs soon. */
-               mdev->p_uuid = NULL; /* ...to not use the old ones in the mean time */
                drbd_send_sizes(mdev, 0, 0);  /* to start sync... */
                drbd_send_uuids(mdev);
                drbd_send_state(mdev);
index 632e3245d1bb2a2f74d01394a4fb55862e30b226..2151f18b21deb27e0d5ecbd369180f12333b3479 100644 (file)
@@ -1114,6 +1114,12 @@ static int drbd_nl_disk_conf(struct drbd_conf *mdev, struct drbd_nl_cfg_req *nlp
                mdev->new_state_tmp.i = ns.i;
                ns.i = os.i;
                ns.disk = D_NEGOTIATING;
+
+               /* We expect to receive up-to-date UUIDs soon.
+                  To avoid a race in receive_state, free p_uuid while
+                  holding req_lock. I.e. atomic with the state change */
+               kfree(mdev->p_uuid);
+               mdev->p_uuid = NULL;
        }
 
        rv = _drbd_set_state(mdev, ns, CS_VERBOSE, NULL);
index 30da4ae489724197a220a83a6e39d1cba0a264c4..b8d2516668aa067d43d7c6c6e5301f3688469658 100644 (file)
@@ -53,7 +53,7 @@
 
 
 extern const char *drbd_buildtag(void);
-#define REL_VERSION "8.3.8rc2"
+#define REL_VERSION "8.3.8"
 #define API_VERSION 88
 #define PRO_VERSION_MIN 86
 #define PRO_VERSION_MAX 94