tdb2: coalescing race fix #1
authorRusty Russell <rusty@rustcorp.com.au>
Mon, 15 Nov 2010 07:10:47 +0000 (17:40 +1030)
committerRusty Russell <rusty@rustcorp.com.au>
Mon, 15 Nov 2010 07:10:47 +0000 (17:40 +1030)
When coalescing, we check the adjacent entry then lock its free list: we
need to *recheck* after locking, to make sure it's still in that free list.

ccan/tdb2/free.c

index e6e77bf616666deed3940b07707616485bd29812..c19b14a84e20a4228d954b495ea88e7cc94ae15a 100644 (file)
@@ -319,6 +319,13 @@ static int coalesce(struct tdb_context *tdb,
                        break;
                }
 
                        break;
                }
 
+               if (unlikely(bucket_off(zone_off,
+                                       size_to_bucket(zone_bits, r->data_len))
+                            != nb_off)) {
+                       tdb_unlock_free_bucket(tdb, nb_off);
+                       break;
+               }
+
                if (remove_from_list(tdb, nb_off, end, r) == -1) {
                        tdb_unlock_free_bucket(tdb, nb_off);
                        goto err;
                if (remove_from_list(tdb, nb_off, end, r) == -1) {
                        tdb_unlock_free_bucket(tdb, nb_off);
                        goto err;