staging: lustre: Use after free in lnet_ptl_match_delay()
authorOlaf Weber <olaf@sgi.com>
Wed, 2 Mar 2016 22:01:49 +0000 (17:01 -0500)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Wed, 2 Mar 2016 23:23:49 +0000 (15:23 -0800)
commit15dd2536671e9d0fd7880823b2f4bf0d2e43dbf5
treeead1b1e85f27fee2ffd891756305ca6febeb202c
parent8f1c0012715de75347ae92c9f3ef60ce8966c792
staging: lustre: Use after free in lnet_ptl_match_delay()

In lnet_ptl_match_delay() we check msg->msg_rx_delayed to see whether
the message has been added to the delay queue. But this check is done
after lnet_ptl_unlock() and lnet_res_unlock(), and the message can be
processed and freed before the check.

Replace the check with checking rc against LNET_MATCHMD_NONE, which
is how the callers of lnet_ptl_match_delay() know whether the message
was added to the delay queue. To make this work we reset rc in the
loop when there was no match and the message hasn't been delayed. In
addition reorganize the code and add comments to clarify the logic.

In lnet_ptl_match_md() a similar msg->msg_rx_delayed is replaced for
the same reason.

Signed-off-by: Olaf Weber <olaf@sgi.com>
Intel-bug-id: https://jira.hpdd.intel.com/browse/LU-7324
Reviewed-on: http://review.whamcloud.com/17840
Reviewed-by: Faccini Bruno <bruno.faccini@intel.com>
Reviewed-by: Liang Zhen <liang.zhen@intel.com>
Reviewed-by: Oleg Drokin <oleg.drokin@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/staging/lustre/lnet/lnet/lib-ptl.c