drbd: fix possible access after free

If we release the page pointed to by md_io_tmpp, we need to zero out the pointer, too, as that may be used later to decide whether we need to allocate a new page again. Impact: a previously freed page may be used and clobbered. Depending on what that particular page is being used for meanwhile, this may result in silent data corruption of completely unrelated things. Only of concern on devices with logical_block_size != 512 byte, if you re-attach after becoming diskless once. Signed-off-by: Philipp Reisner <philipp.reisner@linbit.com> Signed-off-by: Lars Ellenberg <lars.ellenberg@linbit.com>
author: Lars Ellenberg <lars.ellenberg@linbit.com> 2010-09-14 14:14:09 -0400
committer: Philipp Reisner <philipp.reisner@linbit.com> 2010-10-14 12:38:41 -0400
commit: f65363cfa05fe60874030461a0eeb84b7e60cba4 (patch)
tree: 02bec26e82989cf7fff97e3f4ff0108b74032832
parent: 8979d9c9e0bc8e54cf5bd7a89abb2145f087b5e1 (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/drivers/block/drbd/drbd_main.c b/drivers/block/drbd/drbd_main.c
index 4f33714fb3cd..e1f2c2e54f5f 100644
--- a/drivers/block/drbd/drbd_main.c
+++ b/drivers/block/drbd/drbd_main.c
@@ -1407,8 +1407,10 @@ static void after_state_ch(struct drbd_conf *mdev, union drbd_state os,
                        drbd_free_bc(mdev->ldev);
                        mdev->ldev = NULL;);
-                if (mdev->md_io_tmpp)
+                if (mdev->md_io_tmpp) {
                        __free_page(mdev->md_io_tmpp);
+                        mdev->md_io_tmpp = NULL;
+                }
        }
        /* Disks got bigger while they were detached */
author	Lars Ellenberg <lars.ellenberg@linbit.com>	2010-09-14 14:14:09 -0400
committer	Philipp Reisner <philipp.reisner@linbit.com>	2010-10-14 12:38:41 -0400
commit	f65363cfa05fe60874030461a0eeb84b7e60cba4 (patch)
tree	02bec26e82989cf7fff97e3f4ff0108b74032832
parent	8979d9c9e0bc8e54cf5bd7a89abb2145f087b5e1 (diff)