Commit 5b16d52b authored by Liang Zhen's avatar Liang Zhen Committed by Greg Kroah-Hartman

staging: lustre: recv could access freed message

When lnet_parse_put calls lnet_ptl_match_md, this function can attach
current message on the delayed list if there is no match. It means
this message can be taken over and freed by another thread who is
posting new MD, then it is not safe for caller of lnet_parse_put to
check this message again.

This patch fixes this issue by adding a local variable "ready_delay"
to store corresponding status of lnet_msg, so lnet doesn't need to
check the message again if lnet_ptl_match_md returned MATCH_NONE for
it.
Signed-off-by: default avatarLiang Zhen <liang.zhen@intel.com>
Intel-bug-id: https://jira.hpdd.intel.com/browse/LU-7324
Reviewed-on: http://review.whamcloud.com/17065Reviewed-by: default avatarDoug Oucharek <doug.s.oucharek@intel.com>
Reviewed-by: default avatarFaccini Bruno <bruno.faccini@intel.com>
Reviewed-by: default avatarOleg Drokin <oleg.drokin@intel.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent e816f235
...@@ -1466,6 +1466,7 @@ lnet_parse_put(lnet_ni_t *ni, lnet_msg_t *msg) ...@@ -1466,6 +1466,7 @@ lnet_parse_put(lnet_ni_t *ni, lnet_msg_t *msg)
{ {
lnet_hdr_t *hdr = &msg->msg_hdr; lnet_hdr_t *hdr = &msg->msg_hdr;
struct lnet_match_info info; struct lnet_match_info info;
bool ready_delay;
int rc; int rc;
/* Convert put fields to host byte order */ /* Convert put fields to host byte order */
...@@ -1482,6 +1483,7 @@ lnet_parse_put(lnet_ni_t *ni, lnet_msg_t *msg) ...@@ -1482,6 +1483,7 @@ lnet_parse_put(lnet_ni_t *ni, lnet_msg_t *msg)
info.mi_mbits = hdr->msg.put.match_bits; info.mi_mbits = hdr->msg.put.match_bits;
msg->msg_rx_ready_delay = !ni->ni_lnd->lnd_eager_recv; msg->msg_rx_ready_delay = !ni->ni_lnd->lnd_eager_recv;
ready_delay = msg->msg_rx_ready_delay;
again: again:
rc = lnet_ptl_match_md(&info, msg); rc = lnet_ptl_match_md(&info, msg);
...@@ -1494,12 +1496,18 @@ lnet_parse_put(lnet_ni_t *ni, lnet_msg_t *msg) ...@@ -1494,12 +1496,18 @@ lnet_parse_put(lnet_ni_t *ni, lnet_msg_t *msg)
return 0; return 0;
case LNET_MATCHMD_NONE: case LNET_MATCHMD_NONE:
if (msg->msg_rx_delayed) /* attached on delayed list */ /**
* no eager_recv or has already called it, should
* have been attached on delayed list
*/
if (ready_delay)
return 0; return 0;
rc = lnet_ni_eager_recv(ni, msg); rc = lnet_ni_eager_recv(ni, msg);
if (!rc) if (!rc) {
ready_delay = true;
goto again; goto again;
}
/* fall through */ /* fall through */
case LNET_MATCHMD_DROP: case LNET_MATCHMD_DROP:
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment