LU-4629 ptlrpc: fix NULL pointer dereference of {exp,imp}_obd

Pointer 'obd' checked for NULL at line 694 may be dereferenced at
line 813.

Pointer 'req->rq_export->exp_obd' checked for NULL at line 1155
may be dereferenced at line 1164. Also there is one similar error
on line 1170.

Signed-off-by: Dmitry Eremin <dmitry.eremin@intel.com>
Change-Id: I4e0d40bb634415a3f7f1a38f66139b89b9f97772
Reviewed-on: http://review.whamcloud.com/10062
Tested-by: Jenkins
Reviewed-by: John L. Hammond <john.hammond@intel.com>
Tested-by: Maloo <hpdd-maloo@intel.com>
Reviewed-by: Mike Pershin <mike.pershin@intel.com>
Reviewed-by: Oleg Drokin <oleg.drokin@intel.com>

diff --git a/lustre/ptlrpc/niobuf.c b/lustre/ptlrpc/niobuf.c
index a695e57..e75599a 100644 (file)
--- a/lustre/ptlrpc/niobuf.c
+++ b/lustre/ptlrpc/niobuf.c
@@ -691,11 +691,10 @@ int ptl_send_rpc(struct ptlrpc_request *request, int noreply)
          * cleanly from the previous attempt */
         LASSERT(!request->rq_receiving_reply);
 
-        if (request->rq_import->imp_obd &&
-            request->rq_import->imp_obd->obd_fail) {
-                CDEBUG(D_HA, "muting rpc for failed imp obd %s\n",
-                       request->rq_import->imp_obd->obd_name);
-                /* this prevents us from waiting in ptlrpc_queue_wait */
+       if (unlikely(obd != NULL && obd->obd_fail)) {
+               CDEBUG(D_HA, "muting rpc for failed imp obd %s\n",
+                       obd->obd_name);
+               /* this prevents us from waiting in ptlrpc_queue_wait */
                spin_lock(&request->rq_lock);
                request->rq_err = 1;
                spin_unlock(&request->rq_lock);
@@ -810,8 +809,8 @@ int ptl_send_rpc(struct ptlrpc_request *request, int noreply)
 
         /* add references on request for request_out_callback */
         ptlrpc_request_addref(request);
-        if (obd->obd_svc_stats != NULL)
-                lprocfs_counter_add(obd->obd_svc_stats, PTLRPC_REQACTIVE_CNTR,
+       if (obd != NULL && obd->obd_svc_stats != NULL)
+               lprocfs_counter_add(obd->obd_svc_stats, PTLRPC_REQACTIVE_CNTR,
                        atomic_read(&request->rq_import->imp_inflight));
 
        OBD_FAIL_TIMEOUT(OBD_FAIL_PTLRPC_DELAY_SEND, request->rq_timeout + 5);

diff --git a/lustre/ptlrpc/service.c b/lustre/ptlrpc/service.c
index d9476b4..98696f4 100644 (file)
--- a/lustre/ptlrpc/service.c
+++ b/lustre/ptlrpc/service.c
@@ -1119,7 +1119,7 @@ static void ptlrpc_update_export_timer(struct obd_export *exp, long extra_delay)
                         exp->exp_obd->obd_eviction_timer =
                                 cfs_time_current_sec() + 3 * PING_INTERVAL;
                         CDEBUG(D_HA, "%s: Think about evicting %s from "CFS_TIME_T"\n",
-                               exp->exp_obd->obd_name, 
+                               exp->exp_obd->obd_name,
                                obd_export_nid2str(oldest_exp), oldest_time);
                 }
         } else {
@@ -1142,7 +1142,8 @@ static void ptlrpc_update_export_timer(struct obd_export *exp, long extra_delay)
  */
 static int ptlrpc_check_req(struct ptlrpc_request *req)
 {
-        int rc = 0;
+       struct obd_device *obd = req->rq_export->exp_obd;
+       int rc = 0;
 
        if (unlikely(lustre_msg_get_conn_cnt(req->rq_reqmsg) <
                     req->rq_export->exp_conn_cnt)) {
@@ -1152,22 +1153,21 @@ static int ptlrpc_check_req(struct ptlrpc_request *req)
                          req->rq_export->exp_conn_cnt);
                return -EEXIST;
        }
-        if (unlikely(req->rq_export->exp_obd &&
-                     req->rq_export->exp_obd->obd_fail)) {
-             /* Failing over, don't handle any more reqs, send
-                error response instead. */
-                CDEBUG(D_RPCTRACE, "Dropping req %p for failed obd %s\n",
-                       req, req->rq_export->exp_obd->obd_name);
+       if (unlikely(obd == NULL || obd->obd_fail)) {
+               /* Failing over, don't handle any more reqs,
+                * send error response instead. */
+               CDEBUG(D_RPCTRACE, "Dropping req %p for failed obd %s\n",
+                       req, (obd != NULL) ? obd->obd_name : "unknown");
                 rc = -ENODEV;
         } else if (lustre_msg_get_flags(req->rq_reqmsg) &
                    (MSG_REPLAY | MSG_REQ_REPLAY_DONE) &&
-                   !(req->rq_export->exp_obd->obd_recovering)) {
+                  !obd->obd_recovering) {
                         DEBUG_REQ(D_ERROR, req,
                                   "Invalid replay without recovery");
                         class_fail_export(req->rq_export);
                         rc = -ENODEV;
         } else if (lustre_msg_get_transno(req->rq_reqmsg) != 0 &&
-                   !(req->rq_export->exp_obd->obd_recovering)) {
+                  !obd->obd_recovering) {
                         DEBUG_REQ(D_ERROR, req, "Invalid req with transno "
                                   LPU64" without recovery",
                                   lustre_msg_get_transno(req->rq_reqmsg));