LU-5177 mdt: fix object leak and use after free

The mdt_intent_layout() and mdt_open_by_fid_lock() may exit without
object put and causing object leakage.

The mdt_md_create() passed possibly freed object to the
mdt_create_pack_capa()

Signed-off-by: Mikhail Pershin <mike.pershin@intel.com>
Change-Id: I634052c58ee8595871af987755fda5a9f2c942e1
Reviewed-on: http://review.whamcloud.com/10750
Tested-by: Jenkins
Tested-by: Maloo <hpdd-maloo@intel.com>
Reviewed-by: wangdi <di.wang@intel.com>
Reviewed-by: John L. Hammond <john.hammond@intel.com>
Reviewed-by: Oleg Drokin <oleg.drokin@intel.com>

diff --git a/lustre/mdt/mdt_handler.c b/lustre/mdt/mdt_handler.c
index 91c2207..f6d5a58 100644 (file)
--- a/lustre/mdt/mdt_handler.c
+++ b/lustre/mdt/mdt_handler.c
@@ -3261,8 +3261,10 @@ static int mdt_intent_layout(enum mdt_it_code opcode,
        if (mdt_object_exists(obj) && !mdt_object_remote(obj)) {
                /* get the length of lsm */
                rc = mdt_attr_get_eabuf_size(info, obj);
-               if (rc < 0)
+               if (rc < 0) {
+                       mdt_object_put(info->mti_env, obj);
                        RETURN(rc);
+               }
 
                if (rc > info->mti_mdt->mdt_max_mdsize)
                        info->mti_mdt->mdt_max_mdsize = rc;

diff --git a/lustre/mdt/mdt_open.c b/lustre/mdt/mdt_open.c
index e25e4fd..11dcb3b 100644 (file)
--- a/lustre/mdt/mdt_open.c
+++ b/lustre/mdt/mdt_open.c
@@ -1461,9 +1461,9 @@ int mdt_open_by_fid_lock(struct mdt_thread_info *info, struct ldlm_reply *rep,
                         ma->ma_need |= MA_PFID;
         }
 
-        o = mdt_object_find(env, mdt, rr->rr_fid2);
-        if (IS_ERR(o))
-                RETURN(rc = PTR_ERR(o));
+       o = mdt_object_find(env, mdt, rr->rr_fid2);
+       if (IS_ERR(o))
+               GOTO(out_parent_put, rc = PTR_ERR(o));
 
        if (mdt_object_remote(o)) {
                CDEBUG(D_INFO, "%s: "DFID" is on remote MDT.\n",
@@ -1526,6 +1526,7 @@ out_unlock:
        mdt_object_open_unlock(info, o, lhc, ibits, rc);
 out:
        mdt_object_put(env, o);
+out_parent_put:
        if (parent != NULL)
                mdt_object_put(env, parent);
        return rc;

diff --git a/lustre/mdt/mdt_reint.c b/lustre/mdt/mdt_reint.c
index 3150e60..2f98026 100644 (file)
--- a/lustre/mdt/mdt_reint.c
+++ b/lustre/mdt/mdt_reint.c
@@ -423,18 +423,19 @@ static int mdt_md_create(struct mdt_thread_info *info)
                if (rc == 0)
                        rc = mdt_attr_get_complex(info, child, ma);
 
-                if (rc == 0) {
-                        /* Return fid & attr to client. */
-                        if (ma->ma_valid & MA_INODE)
-                                mdt_pack_attr2body(info, repbody, &ma->ma_attr,
-                                                   mdt_object_fid(child));
-                }
+               if (rc == 0) {
+                       /* Return fid & attr to client. */
+                       if (ma->ma_valid & MA_INODE)
+                               mdt_pack_attr2body(info, repbody, &ma->ma_attr,
+                                                  mdt_object_fid(child));
+               }
 out_put_child:
-                mdt_object_put(info->mti_env, child);
-        } else {
-                rc = PTR_ERR(child);
-        }
-        mdt_create_pack_capa(info, rc, child, repbody);
+               mdt_create_pack_capa(info, rc, child, repbody);
+               mdt_object_put(info->mti_env, child);
+       } else {
+               rc = PTR_ERR(child);
+               mdt_create_pack_capa(info, rc, NULL, repbody);
+       }
 unlock_parent:
        mdt_object_unlock(info, parent, lh, rc);
 put_parent: