Hi,
This patch changes function free_conn so that it calls function
close_connection with the last two parameters false, false
rather than true, true. These parameters indicate close_connection
should cancel pending work on the send and receive workqueues
respectively. The trouble is, free_conn is only called from function
dlm_lowcomms_stop AFTER it calls work_stop which destroys both send
and receive workqueues. Any reference would be a use-after-free.
Besides, since free_conn is called with the connections_lock held,
any receive work would potentially call tcp_accept_from_sock which
also grabs connections_lock, creating a circular lock dependency.
So either way, trying to cancel receive work here gets us into
trouble.
Signed-off-by: Bob Peterson <rpete...@redhat.com>
---
diff --git a/fs/dlm/lowcomms.c b/fs/dlm/lowcomms.c
index c196c16..217adf3 100644
--- a/fs/dlm/lowcomms.c
+++ b/fs/dlm/lowcomms.c
@@ -1645,7 +1645,7 @@ static void stop_conn(struct connection *con)
static void free_conn(struct connection *con)
{
- close_connection(con, true, true, true);
+ close_connection(con, true, false, false);
if (con->othercon)
kmem_cache_free(con_cache, con->othercon);
hlist_del(&con->list);
