From 01a6f01a4d26831d055552a113ff0fac9547f0aa Mon Sep 17 00:00:00 2001
From: Liang Zhen <liang.zhen@intel.com>
Date: Fri, 6 Nov 2015 22:23:05 +0800
Subject: [PATCH] LU-7324 lnet: recv could access freed message

When lnet_parse_put calls lnet_ptl_match_md, this function can attach
current message on the delayed list if there is no match. It means
this message can be taken over and freed by another thread who is
posting new MD, then it is not safe for caller of lnet_parse_put to
check this message again.

This patch fixes this issue by adding a local variable "ready_delay"
to store corresponding status of lnet_msg, so lnet doesn't need to
check the message again if lnet_ptl_match_md returned MATCH_NONE for
it.

Signed-off-by: Liang Zhen <liang.zhen@intel.com>
Change-Id: I0f8827103dd637648112e936ce6e685266e5ca40
Reviewed-on: http://review.whamcloud.com/17065
Tested-by: Jenkins
Tested-by: Maloo <hpdd-maloo@intel.com>
Reviewed-by: Doug Oucharek <doug.s.oucharek@intel.com>
Reviewed-by: Faccini Bruno <bruno.faccini@intel.com>
Reviewed-by: Oleg Drokin <oleg.drokin@intel.com>
---
 lnet/lnet/lib-move.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/lnet/lnet/lib-move.c b/lnet/lnet/lib-move.c
index 64f8a9e..7f5c0e8 100644
--- a/lnet/lnet/lib-move.c
+++ b/lnet/lnet/lib-move.c
@@ -1439,6 +1439,7 @@ lnet_parse_put(lnet_ni_t *ni, lnet_msg_t *msg)
 	lnet_hdr_t		*hdr = &msg->msg_hdr;
 	struct lnet_match_info	info;
 	int			rc;
+	bool			ready_delay;
 
 	/* Convert put fields to host byte order */
 	hdr->msg.put.match_bits	= le64_to_cpu(hdr->msg.put.match_bits);
@@ -1454,6 +1455,7 @@ lnet_parse_put(lnet_ni_t *ni, lnet_msg_t *msg)
 	info.mi_mbits	= hdr->msg.put.match_bits;
 
 	msg->msg_rx_ready_delay = ni->ni_lnd->lnd_eager_recv == NULL;
+	ready_delay = msg->msg_rx_ready_delay;
 
  again:
 	rc = lnet_ptl_match_md(&info, msg);
@@ -1466,12 +1468,16 @@ lnet_parse_put(lnet_ni_t *ni, lnet_msg_t *msg)
                 return 0;
 
         case LNET_MATCHMD_NONE:
-		if (msg->msg_rx_delayed) /* attached on delayed list */
+		if (ready_delay)
+			/* no eager_recv or has already called it, should
+			 * have been attached on delayed list */
 			return 0;
 
 		rc = lnet_ni_eager_recv(ni, msg);
-		if (rc == 0)
+		if (rc == 0) {
+			ready_delay = true;
 			goto again;
+		}
 		/* fall through */
 
 	case LNET_MATCHMD_DROP:
-- 
1.8.3.1