drbd: fix unlikely access after free and list corruption

Various cleanup paths have been incomplete, for the very unlikely case
that we cannot allocate enough bios from process context when submitting
on behalf of the peer or resync process.

Never observed.

Signed-off-by: Philipp Reisner <philipp.reisner@linbit.com>
Signed-off-by: Lars Ellenberg <lars.ellenberg@linbit.com>

2 files changed, 32 insertions, 0 deletions

diff --git a/drivers/block/drbd/drbd_receiver.c b/drivers/block/drbd/drbd_receiver.c
index 990fe01afa50..71775a9de21d 100644
--- a/drivers/block/drbd/drbd_receiver.c
+++ b/drivers/block/drbd/drbd_receiver.c
@@ -1573,6 +1573,13 @@ static int recv_resync_read(struct drbd_conf *mdev, sector_t sector, int data_si
         if (drbd_submit_ee(mdev, e, WRITE, DRBD_FAULT_RS_WR) == 0)
                 return TRUE;
 
+        /* drbd_submit_ee currently fails for one reason only:
+         * not being able to allocate enough bios.
+         * Is dropping the connection going to help? */
+        spin_lock_irq(&mdev->req_lock);
+        list_del(&e->w.list);
+        spin_unlock_irq(&mdev->req_lock);
+
         drbd_free_ee(mdev, e);
 fail:
         put_ldev(mdev);
@@ -1998,6 +2005,16 @@ static int receive_Data(struct drbd_conf *mdev, enum drbd_packets cmd, unsigned
         if (drbd_submit_ee(mdev, e, rw, DRBD_FAULT_DT_WR) == 0)
                 return TRUE;
 
+        /* drbd_submit_ee currently fails for one reason only:
+         * not being able to allocate enough bios.
+         * Is dropping the connection going to help? */
+        spin_lock_irq(&mdev->req_lock);
+        list_del(&e->w.list);
+        hlist_del_init(&e->colision);
+        spin_unlock_irq(&mdev->req_lock);
+        if (e->flags & EE_CALL_AL_COMPLETE_IO)
+                drbd_al_complete_io(mdev, e->sector);
+
 out_interrupted:
         /* yes, the epoch_size now is imbalanced.
          * but we drop the connection anyways, so we don't have a chance to
@@ -2202,6 +2219,14 @@ submit:
         if (drbd_submit_ee(mdev, e, READ, fault_type) == 0)
                 return TRUE;
 
+        /* drbd_submit_ee currently fails for one reason only:
+         * not being able to allocate enough bios.
+         * Is dropping the connection going to help? */
+        spin_lock_irq(&mdev->req_lock);
+        list_del(&e->w.list);
+        spin_unlock_irq(&mdev->req_lock);
+        /* no drbd_rs_complete_io(), we are dropping the connection anyways */
+
 out_free_e:
         put_ldev(mdev);
         drbd_free_ee(mdev, e);
diff --git a/drivers/block/drbd/drbd_worker.c b/drivers/block/drbd/drbd_worker.c
index 88be45ad84ed..f12822d53867 100644
--- a/drivers/block/drbd/drbd_worker.c
+++ b/drivers/block/drbd/drbd_worker.c
@@ -387,6 +387,13 @@ static int read_for_csum(struct drbd_conf *mdev, sector_t sector, int size)
         if (drbd_submit_ee(mdev, e, READ, DRBD_FAULT_RS_RD) == 0)
                 return 0;
 
+        /* drbd_submit_ee currently fails for one reason only:
+         * not being able to allocate enough bios.
+         * Is dropping the connection going to help? */
+        spin_lock_irq(&mdev->req_lock);
+        list_del(&e->w.list);
+        spin_unlock_irq(&mdev->req_lock);
+
         drbd_free_ee(mdev, e);
 defer:
         put_ldev(mdev);