LU-16211 o2iblnd: Avoid NULL md deref

struct lnet_msg::msg_md is NULL when a router is forwarding a
REPLY. ko2iblnd attempts to access this pointer on the receive path.
This causes a panic.

Test-Parameters: trivial
Fixes: 959304eac7 ("LU-15189 lnet: fix memory mapping.")
HPE-bug-id: LUS-11269
Signed-off-by: Chris Horn <chris.horn@hpe.com>
Change-Id: I0c1dbb1e0bcd3c17b278f358755d465f7bbbb2b0
Reviewed-on: https://review.whamcloud.com/c/fs/lustre-release/+/48777
Tested-by: jenkins <devops@whamcloud.com>
Tested-by: Maloo <maloo@whamcloud.com>
Reviewed-by: Serguei Smirnov <ssmirnov@whamcloud.com>
Reviewed-by: James Simmons <jsimmons@infradead.org>
Reviewed-by: Oleg Drokin <green@whamcloud.com>

diff --git a/lnet/klnds/o2iblnd/o2iblnd_cb.c b/lnet/klnds/o2iblnd/o2iblnd_cb.c
index a18b1b7..ff6819c 100644 (file)
--- a/lnet/klnds/o2iblnd/o2iblnd_cb.c
+++ b/lnet/klnds/o2iblnd/o2iblnd_cb.c
@@ -1840,7 +1840,7 @@ kiblnd_reply(struct lnet_ni *ni, struct kib_rx *rx, struct lnet_msg *lntmsg)
        struct bio_vec *kiov = lntmsg->msg_kiov;
        unsigned int offset = lntmsg->msg_offset;
        unsigned int nob = lntmsg->msg_len;
-       struct lnet_libmd *payload_md = lntmsg->msg_md;
+       struct lnet_libmd *msg_md = lntmsg->msg_md;
        struct kib_tx *tx;
        int rc;
 
@@ -1851,7 +1851,9 @@ kiblnd_reply(struct lnet_ni *ni, struct kib_rx *rx, struct lnet_msg *lntmsg)
                goto failed_0;
        }
 
-       tx->tx_gpu = !!(payload_md->md_flags & LNET_MD_FLAG_GPU);
+
+       tx->tx_gpu = msg_md ? (msg_md->md_flags & LNET_MD_FLAG_GPU) : 0;
+
        if (nob == 0)
                rc = 0;
        else
@@ -1883,8 +1885,8 @@ kiblnd_reply(struct lnet_ni *ni, struct kib_rx *rx, struct lnet_msg *lntmsg)
                tx->tx_lntmsg[0] = lntmsg;
        }
 
-        kiblnd_queue_tx(tx, rx->rx_conn);
-        return;
+       kiblnd_queue_tx(tx, rx->rx_conn);
+       return;
 
 
 failed_1:
@@ -1949,7 +1951,7 @@ kiblnd_recv(struct lnet_ni *ni, void *private, struct lnet_msg *lntmsg,
        case IBLND_MSG_PUT_REQ: {
                struct kib_msg  *txmsg;
                struct kib_rdma_desc *rd;
-               struct lnet_libmd *payload_md = lntmsg->msg_md;
+               struct lnet_libmd *msg_md = lntmsg->msg_md;
 
                ibprm_cookie = rxmsg->ibm_u.putreq.ibprm_cookie;
                if (mlen == 0) {
@@ -1968,7 +1970,8 @@ kiblnd_recv(struct lnet_ni *ni, void *private, struct lnet_msg *lntmsg,
                        break;
                }
 
-               tx->tx_gpu = !!(payload_md->md_flags & LNET_MD_FLAG_GPU);
+               tx->tx_gpu = msg_md ? (msg_md->md_flags & LNET_MD_FLAG_GPU) : 0;
+
                txmsg = tx->tx_msg;
                rd = &txmsg->ibm_u.putack.ibpam_rd;
                rc = kiblnd_setup_rd_kiov(ni, tx, rd,