From 9dcbf8b3d44f9bb2b1d9c3ac6036345bad827797 Mon Sep 17 00:00:00 2001
From: Shaun Tancheff <shaun.tancheff@hpe.com>
Date: Wed, 9 Mar 2022 02:53:24 -0600
Subject: [PATCH] LU-15634 ptlrpc: Use after free of 'conn' in rhashtable retry

Use after free of 'conn' in the uncommon case of
rhashtable_lookup_get_insert_fast failing with -EBUSY or -ENOMEM

Move OBD_FREE_PTR(conn) below the retry and set conn2 to NULL
on error, propagating to conn and returning to the caller.

HPE-bug-id: LUS-10776
Fixes: 37b29a8f70 ("LU-8130 ptlrpc: convert conn_hash to rhashtable");
Signed-off-by: Shaun Tancheff <shaun.tancheff@hpe.com>
Change-Id: I2fb27d4e8fa6a5324d0a8e06afe34a39fa622bc2
Reviewed-on: https://review.whamcloud.com/46763
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>
Tested-by: jenkins <devops@whamcloud.com>
Reviewed-by: James Simmons <jsimmons@infradead.org>
Tested-by: Maloo <maloo@whamcloud.com>
Reviewed-by: Oleg Drokin <green@whamcloud.com>
---
 lustre/ptlrpc/connection.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/lustre/ptlrpc/connection.c b/lustre/ptlrpc/connection.c
index fe9cf6c..3f690ad 100644
--- a/lustre/ptlrpc/connection.c
+++ b/lustre/ptlrpc/connection.c
@@ -112,7 +112,6 @@ try_again:
 						  conn_hash_params);
 	if (conn2) {
 		/* insertion failed */
-		OBD_FREE_PTR(conn);
 		if (IS_ERR(conn2)) {
 			/* hash table could be resizing. */
 			if (PTR_ERR(conn2) == -ENOMEM ||
@@ -120,10 +119,12 @@ try_again:
 				msleep(5);
 				goto try_again;
 			}
-			return NULL;
+			conn2 = NULL;
 		}
+		OBD_FREE_PTR(conn);
 		conn = conn2;
-		ptlrpc_connection_addref(conn);
+		if (conn)
+			ptlrpc_connection_addref(conn);
 	}
 	EXIT;
 out:
-- 
1.8.3.1