[sheepdog] [PATCH] sheep: fix null reference bug

Liu Yuan namei.unix at gmail.com
Tue May 29 09:47:40 CEST 2012


From: Liu Yuan <tailai.ly at taobao.com>

Fix the following segfault:

Segmentation fault.
#0 0x0000000000407ec2 in __list_del (prev=0x0, next=0x0) at ../include/list.h:79
#1 0x0000000000407f21 in list_del (entry=0x5ce0fe0) at ../include/list.h:90
#2 0x0000000000408537 in io_op_done (work=0x5ce1020) at sdnet.c:98
#3 0x00000000004088db in check_request (req=0x5ce0f60) at sdnet.c:194
#4 0x0000000000408ae6 in resume_pending_requests () at sdnet.c:244
#5 0x00000000004086ec in io_op_done (work=0x5d04b00) at sdnet.c:147
#6 0x000000000040f716 in bs_thread_request_done (fd=12, events=1, data=0x0) at work.c:159
#7 0x000000000041ef21 in event_loop (timeout=-1) at event.c:181
#8 0x0000000000404569 in main (argc=12, argv=0x7fff94127938) at sheep.c:285

The culprit is that we call list_del() twice, once in resume_pending_requests(),
another is in io_op_done().

So the fix is to provide a check before calling list_del in io_op_done().

Signed-off-by: Liu Yuan <tailai.ly at taobao.com>
---
 sheep/sdnet.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/sheep/sdnet.c b/sheep/sdnet.c
index 7fcff4b..486d3cf 100644
--- a/sheep/sdnet.c
+++ b/sheep/sdnet.c
@@ -95,7 +95,8 @@ static void io_op_done(struct work *work)
 	struct request *req = container_of(work, struct request, work);
 	struct sd_req *hdr = &req->rq;
 
-	list_del(&req->request_list);
+	if (!list_empty(&req->request_list))
+		list_del(&req->request_list);
 
 	switch (req->rp.result) {
 	case SD_RES_OLD_NODE_VER:
-- 
1.7.10.2




More information about the sheepdog mailing list