LU-11281 ptlrpc: race in AT early reply

In ptlrpc_at_check_timed, the refcount of the request could
be already dropped to zero, the ptlrpc_server_drop_request
could continue without the "scp_at_lock" and free the request
by writing 0x5a5a5a5a5a5a5a5a to the memory, but the following
"atomic_inc_not_zero(&rq->rq_refcount)" will return nonzero and
cause freed request to be used in ptlrpc_at_send_early_reply.

Change-Id: I5d884be86de007f49b044e022ad90663b08078d7
Signed-off-by: Hongchao Zhang <hongchao@whamcloud.com>
Reviewed-on: https://review.whamcloud.com/33071
Tested-by: Jenkins
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>
Tested-by: Maloo <hpdd-maloo@intel.com>
Reviewed-by: Lai Siyao <lai.siyao@whamcloud.com>
Reviewed-by: Oleg Drokin <green@whamcloud.com>

diff --git a/lustre/ptlrpc/service.c b/lustre/ptlrpc/service.c
index 78fa186..67568ff 100644 (file)
--- a/lustre/ptlrpc/service.c
+++ b/lustre/ptlrpc/service.c
@@ -1496,14 +1496,18 @@ static int ptlrpc_at_check_timed(struct ptlrpc_service_part *svcpt)
                                break;
                        }
 
-                       ptlrpc_at_remove_timed(rq);
                        /**
                         * ptlrpc_server_drop_request() may drop
                         * refcount to 0 already. Let's check this and
                         * don't add entry to work_list
                         */
-                       if (likely(atomic_inc_not_zero(&rq->rq_refcount)))
+                       if (likely(atomic_inc_not_zero(&rq->rq_refcount))) {
+                               ptlrpc_at_remove_timed(rq);
                                list_add(&rq->rq_timed_list, &work_list);
+                       } else {
+                               ptlrpc_at_remove_timed(rq);
+                       }
+
                        counter++;
                }