[lustre-devel] [PATCH 022/151] lustre: llite: NULL pointer dereference in cl_object_top()

[James Simmons]

From: Andriy Skulysh <c17819 at cray.com>

During race condition iget5_locked() returns inode without
I_NEW bit for the second thread. If cl_file_inode_init()
failed for the first thread lli_clob isn't valid for
corresponding fid.

But failed inode is marked bad, check it.

WC-bug-id: https://jira.whamcloud.com/browse/LU-6436
Seagate-bug-id: MRP-4035
Lustre-commit: 13c8d5e4bebf ("LU-6436 llite: NULL pointer dereference in cl_object_top()")
Signed-off-by: Andriy Skulysh <c17819 at cray.com>
Reviewed-on: https://review.whamcloud.com/27777
Reviewed-by: Bobi Jam <bobijam at hotmail.com>
Reviewed-by: Jinshan Xiong <jinshan.xiong at whamcloud.com>
Reviewed-by: Oleg Drokin <green at whamcloud.com>
Signed-off-by: James Simmons <jsimmons at infradead.org>
---
 fs/lustre/llite/namei.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/fs/lustre/llite/namei.c b/fs/lustre/llite/namei.c
index caa759f..9c9acf2 100644
--- a/fs/lustre/llite/namei.c
+++ b/fs/lustre/llite/namei.c
@@ -133,6 +133,9 @@ struct inode *ll_iget(struct super_block *sb, ino_t hash,
 			inode_has_no_xattr(inode);
 			unlock_new_inode(inode);
 		}
+	} else if (is_bad_inode(inode)) {
+		iput(inode);
+		inode = ERR_PTR(-ESTALE);
 	} else if (!(inode->i_state & (I_FREEING | I_CLEAR))) {
 		rc = ll_update_inode(inode, md);
 		CDEBUG(D_VFSTRACE, "got inode: " DFID "(%p): rc = %d\n",
-- 
1.8.3.1