[lustre-devel] [PATCH 50/50] lustre: ptlrpc: Use after free of 'conn' in rhashtable retry

[James Simmons]

From: Shaun Tancheff <shaun.tancheff at hpe.com>

Use after free of 'conn' in the uncommon case of
rhashtable_lookup_get_insert_fast failing with -EBUSY or -ENOMEM

Move kfree(conn) below the retry and set conn2 to NULL
on error, propagating to conn and returning to the caller.

HPE-bug-id: LUS-10776
Fixes: ac2370ac2b ("staging: lustre: ptlrpc: convert conn_hash to rhashtable");
WC-bug-id: https://jira.whamcloud.com/browse/LU-15634
Lustre-commit: 9dcbf8b3d44f9bb2b ("LU-15634 ptlrpc: Use after free of 'conn' in rhashtable retry")
Signed-off-by: Shaun Tancheff <shaun.tancheff at hpe.com>
Reviewed-on: https://review.whamcloud.com/46763
Reviewed-by: Andreas Dilger <adilger at whamcloud.com>
Reviewed-by: James Simmons <jsimmons at infradead.org>
Reviewed-by: Oleg Drokin <green at whamcloud.com>
Signed-off-by: James Simmons <jsimmons at infradead.org>
---
 fs/lustre/ptlrpc/connection.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/fs/lustre/ptlrpc/connection.c b/fs/lustre/ptlrpc/connection.c
index 8dbaea40..d1f53c6 100644
--- a/fs/lustre/ptlrpc/connection.c
+++ b/fs/lustre/ptlrpc/connection.c
@@ -119,10 +119,12 @@ struct ptlrpc_connection *
 				msleep(20);
 				goto try_again;
 			}
-			return NULL;
+			conn2 = NULL;
 		}
+		kfree(conn);
 		conn = conn2;
-		ptlrpc_connection_addref(conn);
+		if (conn)
+			ptlrpc_connection_addref(conn);
 	}
 out:
 	CDEBUG(D_INFO, "conn=%p refcount %d to %s\n",
-- 
1.8.3.1