LU-18213 o2ib: dec connection count before peer

BUG: KFENCE: use-after-free write in \
kiblnd_destroy_conn+0x356/0x660 [ko2iblnd]

In kiblnd_destroy_conn() calling kiblnd_peer_decref()
could result in freeing the peer_ni.

Drop the connection counters before calling
kiblnd_peer_decref() to avoid use after free

HPE-bug-id: LUS-12513
Signed-off-by: Shaun Tancheff <shaun.tancheff@hpe.com>
Change-Id: I85fcfc399ca38e9b85d9eff72314f0363e2a0666
Reviewed-on: https://review.whamcloud.com/c/fs/lustre-release/+/56275
Tested-by: jenkins <devops@whamcloud.com>
Tested-by: Maloo <maloo@whamcloud.com>
Reviewed-by: Chris Horn <chris.horn@hpe.com>
Reviewed-by: Petros Koutoupis <petros.koutoupis@hpe.com>
Reviewed-by: James Simmons <jsimmons@infradead.org>
Reviewed-by: Oleg Drokin <green@whamcloud.com>

diff --git a/lnet/klnds/o2iblnd/o2iblnd.c b/lnet/klnds/o2iblnd/o2iblnd.c
index c45c6fa..74bc26f 100644 (file)
--- a/lnet/klnds/o2iblnd/o2iblnd.c
+++ b/lnet/klnds/o2iblnd/o2iblnd.c
@@ -1040,10 +1040,10 @@ kiblnd_destroy_conn(struct kib_conn *conn)
        if (conn->ibc_state != IBLND_CONN_INIT) {
                struct kib_net *net = peer_ni->ibp_ni->ni_data;
 
-               kiblnd_peer_decref(peer_ni);
-               rdma_destroy_id(cmid);
                atomic_dec(&peer_ni->ibp_nconns);
                atomic_dec(&net->ibn_nconns);
+               kiblnd_peer_decref(peer_ni);
+               rdma_destroy_id(cmid);
        }
 }