LU-15634 ptlrpc: Use after free of 'conn' in rhashtable retry

Use after free of 'conn' in the uncommon case of
rhashtable_lookup_get_insert_fast failing with -EBUSY or -ENOMEM

Move OBD_FREE_PTR(conn) below the retry and set conn2 to NULL
on error, propagating to conn and returning to the caller.

HPE-bug-id: LUS-10776
Fixes: 37b29a8f70 ("LU-8130 ptlrpc: convert conn_hash to rhashtable");
Signed-off-by: Shaun Tancheff <shaun.tancheff@hpe.com>
Change-Id: I2fb27d4e8fa6a5324d0a8e06afe34a39fa622bc2
Reviewed-on: https://review.whamcloud.com/46763
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>
Tested-by: jenkins <devops@whamcloud.com>
Reviewed-by: James Simmons <jsimmons@infradead.org>
Tested-by: Maloo <maloo@whamcloud.com>
Reviewed-by: Oleg Drokin <green@whamcloud.com>

diff --git a/lustre/ptlrpc/connection.c b/lustre/ptlrpc/connection.c
index fe9cf6c..3f690ad 100644 (file)
--- a/lustre/ptlrpc/connection.c
+++ b/lustre/ptlrpc/connection.c
@@ -112,7 +112,6 @@ try_again:
                                                  conn_hash_params);
        if (conn2) {
                /* insertion failed */
-               OBD_FREE_PTR(conn);
                if (IS_ERR(conn2)) {
                        /* hash table could be resizing. */
                        if (PTR_ERR(conn2) == -ENOMEM ||
@@ -120,10 +119,12 @@ try_again:
                                msleep(5);
                                goto try_again;
                        }
-                       return NULL;
+                       conn2 = NULL;
                }
+               OBD_FREE_PTR(conn);
                conn = conn2;
-               ptlrpc_connection_addref(conn);
+               if (conn)
+                       ptlrpc_connection_addref(conn);
        }
        EXIT;
 out: