In ptlrpc_at_check_timed, the refcount of the request could
be already dropped to zero, the ptlrpc_server_drop_request
could continue without the "scp_at_lock" and free the request
by writing 0x5a5a5a5a5a5a5a5a to the memory, but the following
"atomic_inc_not_zero(&rq->rq_refcount)" will return nonzero and
cause freed request to be used in ptlrpc_at_send_early_reply.
Change-Id: I5d884be86de007f49b044e022ad90663b08078d7
Signed-off-by: Hongchao Zhang <hongchao@whamcloud.com>
Reviewed-on: https://review.whamcloud.com/33071
Tested-by: Jenkins
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>
Tested-by: Maloo <hpdd-maloo@intel.com>
Reviewed-by: Lai Siyao <lai.siyao@whamcloud.com>
Reviewed-by: Oleg Drokin <green@whamcloud.com>
break;
}
- ptlrpc_at_remove_timed(rq);
/**
* ptlrpc_server_drop_request() may drop
* refcount to 0 already. Let's check this and
* don't add entry to work_list
*/
- if (likely(atomic_inc_not_zero(&rq->rq_refcount)))
+ if (likely(atomic_inc_not_zero(&rq->rq_refcount))) {
+ ptlrpc_at_remove_timed(rq);
list_add(&rq->rq_timed_list, &work_list);
+ } else {
+ ptlrpc_at_remove_timed(rq);
+ }
+
counter++;
}