From 633b0534dbf0e5e3176b74aa6ca54129946bfbc9 Mon Sep 17 00:00:00 2001
From: Mikhail Pershin <mike.pershin@intel.com>
Date: Thu, 19 Jun 2014 10:35:02 +0400
Subject: [PATCH] LU-5177 mdt: fix object leak and use after free

The mdt_intent_layout() and mdt_open_by_fid_lock() may exit without
object put and causing object leakage.

The mdt_md_create() passed possibly freed object to the
mdt_create_pack_capa()

Signed-off-by: Mikhail Pershin <mike.pershin@intel.com>
Change-Id: I634052c58ee8595871af987755fda5a9f2c942e1
Reviewed-on: http://review.whamcloud.com/10750
Tested-by: Jenkins
Tested-by: Maloo <hpdd-maloo@intel.com>
Reviewed-by: wangdi <di.wang@intel.com>
Reviewed-by: John L. Hammond <john.hammond@intel.com>
Reviewed-by: Oleg Drokin <oleg.drokin@intel.com>
---
 lustre/mdt/mdt_handler.c |  4 +++-
 lustre/mdt/mdt_open.c    |  7 ++++---
 lustre/mdt/mdt_reint.c   | 23 ++++++++++++-----------
 3 files changed, 19 insertions(+), 15 deletions(-)

diff --git a/lustre/mdt/mdt_handler.c b/lustre/mdt/mdt_handler.c
index 91c2207..f6d5a58 100644
--- a/lustre/mdt/mdt_handler.c
+++ b/lustre/mdt/mdt_handler.c
@@ -3261,8 +3261,10 @@ static int mdt_intent_layout(enum mdt_it_code opcode,
 	if (mdt_object_exists(obj) && !mdt_object_remote(obj)) {
 		/* get the length of lsm */
 		rc = mdt_attr_get_eabuf_size(info, obj);
-		if (rc < 0)
+		if (rc < 0) {
+			mdt_object_put(info->mti_env, obj);
 			RETURN(rc);
+		}
 
 		if (rc > info->mti_mdt->mdt_max_mdsize)
 			info->mti_mdt->mdt_max_mdsize = rc;
diff --git a/lustre/mdt/mdt_open.c b/lustre/mdt/mdt_open.c
index e25e4fd..11dcb3b 100644
--- a/lustre/mdt/mdt_open.c
+++ b/lustre/mdt/mdt_open.c
@@ -1461,9 +1461,9 @@ int mdt_open_by_fid_lock(struct mdt_thread_info *info, struct ldlm_reply *rep,
                         ma->ma_need |= MA_PFID;
         }
 
-        o = mdt_object_find(env, mdt, rr->rr_fid2);
-        if (IS_ERR(o))
-                RETURN(rc = PTR_ERR(o));
+	o = mdt_object_find(env, mdt, rr->rr_fid2);
+	if (IS_ERR(o))
+		GOTO(out_parent_put, rc = PTR_ERR(o));
 
 	if (mdt_object_remote(o)) {
 		CDEBUG(D_INFO, "%s: "DFID" is on remote MDT.\n",
@@ -1526,6 +1526,7 @@ out_unlock:
 	mdt_object_open_unlock(info, o, lhc, ibits, rc);
 out:
 	mdt_object_put(env, o);
+out_parent_put:
 	if (parent != NULL)
 		mdt_object_put(env, parent);
 	return rc;
diff --git a/lustre/mdt/mdt_reint.c b/lustre/mdt/mdt_reint.c
index 3150e60..2f98026 100644
--- a/lustre/mdt/mdt_reint.c
+++ b/lustre/mdt/mdt_reint.c
@@ -423,18 +423,19 @@ static int mdt_md_create(struct mdt_thread_info *info)
 		if (rc == 0)
 			rc = mdt_attr_get_complex(info, child, ma);
 
-                if (rc == 0) {
-                        /* Return fid & attr to client. */
-                        if (ma->ma_valid & MA_INODE)
-                                mdt_pack_attr2body(info, repbody, &ma->ma_attr,
-                                                   mdt_object_fid(child));
-                }
+		if (rc == 0) {
+			/* Return fid & attr to client. */
+			if (ma->ma_valid & MA_INODE)
+				mdt_pack_attr2body(info, repbody, &ma->ma_attr,
+						   mdt_object_fid(child));
+		}
 out_put_child:
-                mdt_object_put(info->mti_env, child);
-        } else {
-                rc = PTR_ERR(child);
-        }
-        mdt_create_pack_capa(info, rc, child, repbody);
+		mdt_create_pack_capa(info, rc, child, repbody);
+		mdt_object_put(info->mti_env, child);
+	} else {
+		rc = PTR_ERR(child);
+		mdt_create_pack_capa(info, rc, NULL, repbody);
+	}
 unlock_parent:
 	mdt_object_unlock(info, parent, lh, rc);
 put_parent:
-- 
1.8.3.1