From a8ba0d606933c34c13ea971491a7e0dfa50208ef Mon Sep 17 00:00:00 2001 From: Lars Ellenberg Date: Wed, 14 May 2014 21:34:47 +0200 Subject: drbd: fix drbd_destroy_device reference count updates drbd_destroy_device means to give up reference counts on the connection(s) reachable via the peer_device(s). It must not do that by iterating via device->resource->connections, resource and connections may have already been disassociated by drbd_free_resource, and we'd leak connection refs. Instead, iterate via device->peer_devices->connection. Signed-off-by: Philipp Reisner Signed-off-by: Lars Ellenberg --- drivers/block/drbd/drbd_main.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) (limited to 'drivers/block') diff --git a/drivers/block/drbd/drbd_main.c b/drivers/block/drbd/drbd_main.c index 92547d16b2c7..56cf11b60cb8 100644 --- a/drivers/block/drbd/drbd_main.c +++ b/drivers/block/drbd/drbd_main.c @@ -2160,7 +2160,7 @@ void drbd_destroy_device(struct kref *kref) { struct drbd_device *device = container_of(kref, struct drbd_device, kref); struct drbd_resource *resource = device->resource; - struct drbd_connection *connection; + struct drbd_peer_device *peer_device, *tmp_peer_device; del_timer_sync(&device->request_timer); @@ -2191,12 +2191,16 @@ void drbd_destroy_device(struct kref *kref) put_disk(device->vdisk); blk_cleanup_queue(device->rq_queue); kfree(device->rs_plan_s); - kfree(first_peer_device(device)); + + /* not for_each_connection(connection, resource): + * those may have been cleaned up and disassociated already. + */ + for_each_peer_device_safe(peer_device, tmp_peer_device, device) { + kref_put(&peer_device->connection->kref, drbd_destroy_connection); + kfree(peer_device); + } memset(device, 0xfd, sizeof(*device)); kfree(device); - - for_each_connection(connection, resource) - kref_put(&connection->kref, drbd_destroy_connection); kref_put(&resource->kref, drbd_destroy_resource); } -- cgit v1.2.3