From 9461ed3fff67d81a9de08653fdb6975db8b76be3 Mon Sep 17 00:00:00 2001 From: Dmitry Eremin Date: Wed, 23 Apr 2014 12:01:25 +0400 Subject: [PATCH] LU-4629 ptlrpc: fix NULL pointer dereference of {exp,imp}_obd Pointer 'obd' checked for NULL at line 694 may be dereferenced at line 813. Pointer 'req->rq_export->exp_obd' checked for NULL at line 1155 may be dereferenced at line 1164. Also there is one similar error on line 1170. Signed-off-by: Dmitry Eremin Change-Id: I4e0d40bb634415a3f7f1a38f66139b89b9f97772 Reviewed-on: http://review.whamcloud.com/10062 Tested-by: Jenkins Reviewed-by: John L. Hammond Tested-by: Maloo Reviewed-by: Mike Pershin Reviewed-by: Oleg Drokin --- lustre/ptlrpc/niobuf.c | 13 ++++++------- lustre/ptlrpc/service.c | 20 ++++++++++---------- 2 files changed, 16 insertions(+), 17 deletions(-) diff --git a/lustre/ptlrpc/niobuf.c b/lustre/ptlrpc/niobuf.c index a695e57..e75599a 100644 --- a/lustre/ptlrpc/niobuf.c +++ b/lustre/ptlrpc/niobuf.c @@ -691,11 +691,10 @@ int ptl_send_rpc(struct ptlrpc_request *request, int noreply) * cleanly from the previous attempt */ LASSERT(!request->rq_receiving_reply); - if (request->rq_import->imp_obd && - request->rq_import->imp_obd->obd_fail) { - CDEBUG(D_HA, "muting rpc for failed imp obd %s\n", - request->rq_import->imp_obd->obd_name); - /* this prevents us from waiting in ptlrpc_queue_wait */ + if (unlikely(obd != NULL && obd->obd_fail)) { + CDEBUG(D_HA, "muting rpc for failed imp obd %s\n", + obd->obd_name); + /* this prevents us from waiting in ptlrpc_queue_wait */ spin_lock(&request->rq_lock); request->rq_err = 1; spin_unlock(&request->rq_lock); @@ -810,8 +809,8 @@ int ptl_send_rpc(struct ptlrpc_request *request, int noreply) /* add references on request for request_out_callback */ ptlrpc_request_addref(request); - if (obd->obd_svc_stats != NULL) - lprocfs_counter_add(obd->obd_svc_stats, PTLRPC_REQACTIVE_CNTR, + if (obd != NULL && obd->obd_svc_stats != NULL) + lprocfs_counter_add(obd->obd_svc_stats, PTLRPC_REQACTIVE_CNTR, atomic_read(&request->rq_import->imp_inflight)); OBD_FAIL_TIMEOUT(OBD_FAIL_PTLRPC_DELAY_SEND, request->rq_timeout + 5); diff --git a/lustre/ptlrpc/service.c b/lustre/ptlrpc/service.c index d9476b4..98696f4 100644 --- a/lustre/ptlrpc/service.c +++ b/lustre/ptlrpc/service.c @@ -1119,7 +1119,7 @@ static void ptlrpc_update_export_timer(struct obd_export *exp, long extra_delay) exp->exp_obd->obd_eviction_timer = cfs_time_current_sec() + 3 * PING_INTERVAL; CDEBUG(D_HA, "%s: Think about evicting %s from "CFS_TIME_T"\n", - exp->exp_obd->obd_name, + exp->exp_obd->obd_name, obd_export_nid2str(oldest_exp), oldest_time); } } else { @@ -1142,7 +1142,8 @@ static void ptlrpc_update_export_timer(struct obd_export *exp, long extra_delay) */ static int ptlrpc_check_req(struct ptlrpc_request *req) { - int rc = 0; + struct obd_device *obd = req->rq_export->exp_obd; + int rc = 0; if (unlikely(lustre_msg_get_conn_cnt(req->rq_reqmsg) < req->rq_export->exp_conn_cnt)) { @@ -1152,22 +1153,21 @@ static int ptlrpc_check_req(struct ptlrpc_request *req) req->rq_export->exp_conn_cnt); return -EEXIST; } - if (unlikely(req->rq_export->exp_obd && - req->rq_export->exp_obd->obd_fail)) { - /* Failing over, don't handle any more reqs, send - error response instead. */ - CDEBUG(D_RPCTRACE, "Dropping req %p for failed obd %s\n", - req, req->rq_export->exp_obd->obd_name); + if (unlikely(obd == NULL || obd->obd_fail)) { + /* Failing over, don't handle any more reqs, + * send error response instead. */ + CDEBUG(D_RPCTRACE, "Dropping req %p for failed obd %s\n", + req, (obd != NULL) ? obd->obd_name : "unknown"); rc = -ENODEV; } else if (lustre_msg_get_flags(req->rq_reqmsg) & (MSG_REPLAY | MSG_REQ_REPLAY_DONE) && - !(req->rq_export->exp_obd->obd_recovering)) { + !obd->obd_recovering) { DEBUG_REQ(D_ERROR, req, "Invalid replay without recovery"); class_fail_export(req->rq_export); rc = -ENODEV; } else if (lustre_msg_get_transno(req->rq_reqmsg) != 0 && - !(req->rq_export->exp_obd->obd_recovering)) { + !obd->obd_recovering) { DEBUG_REQ(D_ERROR, req, "Invalid req with transno " LPU64" without recovery", lustre_msg_get_transno(req->rq_reqmsg)); -- 1.8.3.1