LU-18485 ptlrpc: use-after-free in batch_send_update_req

if rpc in batch_send_update_req() is async, then the interpreter
(freeing the head) can be called sooner than lprocfs_oh_tally_log2()
(using the head):

  BUG: unable to handle kernel paging request at ffffa35eb3668018
  PGD 100090067 P4D 100090067 PUD 100091067 PMD 14d0c0067 PTE 0
  Oops: 0000 [#1] PREEMPT SMP
  CPU: 1 PID: 10997 Comm: ll_sa_10979 Tainted: G        W  O
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1
  RIP: 0010:batch_send_update_req.constprop.1.cold.4+0xb5/0x1d1 [ptlrpc]

Fixes: a20f25d24b5 ("LU-14139 statahead: add stats for batch RPC requests")
Signed-off-by: Alex Zhuravlev <bzzz@whamcloud.com>
Change-Id: I65588da9a772e0109bfc133c4057b1effc0e7e5b
Reviewed-on: https://review.whamcloud.com/c/fs/lustre-release/+/57116
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>
Reviewed-by: James Simmons <jsimmons@infradead.org>
Reviewed-by: Oleg Drokin <green@whamcloud.com>
Tested-by: Maloo <maloo@whamcloud.com>
Tested-by: jenkins <devops@whamcloud.com>

diff --git a/lustre/ptlrpc/batch.c b/lustre/ptlrpc/batch.c
index 47bd32c..7c1d091 100644 (file)
--- a/lustre/ptlrpc/batch.c
+++ b/lustre/ptlrpc/batch.c
@@ -459,6 +459,9 @@ static int batch_send_update_req(const struct lu_env *env,
        if (!(flags & BATCH_FL_RDONLY))
                ptlrpc_get_mod_rpc_slot(req);
 
+       lprocfs_oh_tally_log2(&obd->u.cli.cl_batch_rpc_hist,
+                             head->buh_update_count);
+
        if (flags & BATCH_FL_SYNC) {
                rc = ptlrpc_queue_wait(req);
        } else {
@@ -474,8 +477,6 @@ static int batch_send_update_req(const struct lu_env *env,
        if (req != NULL)
                ptlrpc_req_put(req);
 
-       lprocfs_oh_tally_log2(&obd->u.cli.cl_batch_rpc_hist,
-                             head->buh_update_count);
        RETURN(rc);
 }