git://git.whamcloud.com - fs/lustre-release.git/commit

author	Olaf Weber <olaf@sgi.com>
	Wed, 6 Jan 2016 12:50:03 +0000 (13:50 +0100)
committer	Oleg Drokin <oleg.drokin@intel.com>
	Mon, 25 Jan 2016 01:58:51 +0000 (01:58 +0000)
commit	607f6919ea67b101796630d4b55649a12ea0e859
tree	906f3bc86ade0cc4b32e50b23b42cac91c5263ff	tree \| snapshot
parent	12a6fb07d58d460143f5896feb2930dd44381d37	commit \| diff

LU-7324 lnet: Use after free in lnet_ptl_match_delay()

In lnet_ptl_match_delay() we check msg->msg_rx_delayed to see whether
the message has been added to the delay queue. But this check is done
after lnet_ptl_unlock() and lnet_res_unlock(), and the message can be
processed and freed before the check.

Replace the check with checking rc against LNET_MATCHMD_NONE, which
is how the callers of lnet_ptl_match_delay() know whether the message
was added to the delay queue. To make this work we reset rc in the
loop when there was no match and the message hasn't been delayed. In
addition reorganize the code and add comments to clarify the logic.

In lnet_ptl_match_md() a similar msg->msg_rx_delayed is replaced for
the same reason.

Signed-off-by: Olaf Weber <olaf@sgi.com>
Change-Id: Ifbc6573664fdc4849b9155b6102c8589e692996b
Reviewed-on: http://review.whamcloud.com/17840
Tested-by: Jenkins
Tested-by: Maloo <hpdd-maloo@intel.com>
Reviewed-by: Faccini Bruno <bruno.faccini@intel.com>
Reviewed-by: Liang Zhen <liang.zhen@intel.com>
Reviewed-by: Oleg Drokin <oleg.drokin@intel.com>