drbd: fix request leak introduced by locking/atomic, kref: Kill kref_sub()

When killing kref_sub(), the unconditional additional kref_get() was not properly paired with the necessary kref_put(), causing a leak of struct drbd_requests (~ 224 Bytes) per submitted bio, and breaking DRBD in general, as the destructor of those "drbd_requests" does more than just the mempoll_free(). Fixes: bdfafc4f ("locking/atomic, kref: Kill kref_sub()") Signed-off-by: Lars Ellenberg <lars.ellenberg@linbit.com> Cc: stable@vger.kernel.org # v4.11 Signed-off-by: Jens Axboe <axboe@fb.com>

drbd: fix request leak introduced by locking/atomic, kref: Kill kref_sub()
When killing kref_sub(), the unconditional additional kref_get() was not properly paired with the necessary kref_put(), causing a leak of struct drbd_requests (~ 224 Bytes) per submitted bio, and breaking DRBD in general, as the destructor of those "drbd_requests" does more than just the mempoll_free(). Fixes: bdfafc4f ("locking/atomic, kref: Kill kref_sub()") Signed-off-by: Lars Ellenberg <lars.ellenberg@linbit.com> Cc: stable@vger.kernel.org # v4.11 Signed-off-by: Jens Axboe <axboe@fb.com>
a00ebd1c · Lars Ellenberg · Jens Axboe · ed6565e7 · a00ebd1c
Commit a00ebd1c authored May 11, 2017 by Lars Ellenberg Committed by Jens Axboe May 11, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 15 additions and 12 deletions

drivers/block/drbd/drbd_req.c drivers/block/drbd/drbd_req.c +15 -12

No files found.
--- a/drivers/block/drbd/drbd_req.c
+++ b/drivers/block/drbd/drbd_req.c
@@ -315,24 +315,32 @@ void drbd_req_complete(struct drbd_request *req, struct bio_and_error *m)
 }
 /* still holds resource->req_lock */
-static int drbd_req_put_completion_ref(struct drbd_request *req, struct bio_and_error *m, int put)
+static void drbd_req_put_completion_ref(struct drbd_request *req, struct bio_and_error *m, int put)
 {
 	struct drbd_device *device = req->device;
 	D_ASSERT(device, m || (req->rq_state & RQ_POSTPONED));
+	if (!put)
+		return;
 	if (!atomic_sub_and_test(put, &req->completion_ref))
-		return 0;
+		return;
 	drbd_req_complete(req, m);
+	/* local completion may still come in later,
+	 * we need to keep the req object around. */
+	if (req->rq_state & RQ_LOCAL_ABORTED)
+		return;
 	if (req->rq_state & RQ_POSTPONED) {
 		/* don't destroy the req object just yet,
 		 * but queue it for retry */
 		drbd_restart_request(req);
-		return 0;
+		return;
 	}
-	return 1;
+	kref_put(&req->kref, drbd_req_destroy);
 }
 static void set_if_null_req_next(struct drbd_peer_device *peer_device, struct drbd_request *req)
@@ -519,12 +527,8 @@ static void mod_rq_state(struct drbd_request *req, struct bio_and_error *m,
 	if (req->i.waiting)
 		wake_up(&device->misc_wait);
-	if (c_put) {
+	drbd_req_put_completion_ref(req, m, c_put);
-		if (drbd_req_put_completion_ref(req, m, c_put))
+	kref_put(&req->kref, drbd_req_destroy);
-			kref_put(&req->kref, drbd_req_destroy);
-	} else {
-		kref_put(&req->kref, drbd_req_destroy);
-	}
 }
 static void drbd_report_io_error(struct drbd_device *device, struct drbd_request *req)
@@ -1366,8 +1370,7 @@ static void drbd_send_and_submit(struct drbd_device *device, struct drbd_request
 	}
 out:
-	if (drbd_req_put_completion_ref(req, &m, 1))
+	drbd_req_put_completion_ref(req, &m, 1);
-		kref_put(&req->kref, drbd_req_destroy);
 	spin_unlock_irq(&resource->req_lock);
 	/* Even though above is a kref_put(), this is safe.