diff options
author | Oleg Drokin <green@linuxhacker.ru> | 2014-06-22 21:32:06 -0400 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2014-06-26 20:45:05 -0400 |
commit | 61d7258bf144ff388f51d0a3b295a7493fe10035 (patch) | |
tree | 4b4d61645900266b050387e227be7d6ce42d9b61 /drivers/staging/lustre/lustre/ptlrpc/sec_null.c | |
parent | 3eeb821eff089e0f26f016a09ea1ee011fba3b4f (diff) |
staging/lustre/ptlrpc: Protect request buffer changing
*_enlarge_reqbuf class of functions can change request body location
for a request that's already in replay list, as such a parallel
traverser of the list (after_reply -> ptlrpc_free_committed) might
access freed and scrambled memory causing assertion.
Since all such users only can get to this request under imp_lock, take
imp_lock to protect against them in *_enlarge_reqbuf
Signed-off-by: Oleg Drokin <oleg.drokin@intel.com>
Reviewed-on: http://review.whamcloud.com/10074
Intel-bug-id: https://jira.hpdd.intel.com/browse/LU-3333
Reviewed-by: Mike Pershin <mike.pershin@intel.com>
Reviewed-by: Andreas Dilger <andreas.dilger@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/staging/lustre/lustre/ptlrpc/sec_null.c')
-rw-r--r-- | drivers/staging/lustre/lustre/ptlrpc/sec_null.c | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/drivers/staging/lustre/lustre/ptlrpc/sec_null.c b/drivers/staging/lustre/lustre/ptlrpc/sec_null.c index ff1137fe4dd6..ac967cb983cf 100644 --- a/drivers/staging/lustre/lustre/ptlrpc/sec_null.c +++ b/drivers/staging/lustre/lustre/ptlrpc/sec_null.c @@ -260,11 +260,22 @@ int null_enlarge_reqbuf(struct ptlrpc_sec *sec, if (newbuf == NULL) return -ENOMEM; + /* Must lock this, so that otherwise unprotected change of + * rq_reqmsg is not racing with parallel processing of + * imp_replay_list traversing threads. See LU-3333 + * This is a bandaid at best, we really need to deal with this + * in request enlarging code before unpacking that's already + * there */ + if (req->rq_import) + spin_lock(&req->rq_import->imp_lock); memcpy(newbuf, req->rq_reqbuf, req->rq_reqlen); OBD_FREE_LARGE(req->rq_reqbuf, req->rq_reqbuf_len); req->rq_reqbuf = req->rq_reqmsg = newbuf; req->rq_reqbuf_len = alloc_size; + + if (req->rq_import) + spin_unlock(&req->rq_import->imp_lock); } _sptlrpc_enlarge_msg_inplace(req->rq_reqmsg, segment, newsize); |