LU-12101 socklnd: fix infinite loop in ksocknal_push()

NeilBrown · Oleg Drokin · commit 2bf657c025a5 · 2019-07-12T05:21:43.000Z
If the list_for_each_entry() loop in ksocknal_push() ever finds a match, then it will increment 'i', and the outer loop will continue. Once peer_off becomes larger than the number of matches in a given chain, 'peer_ni' will be an invalid pointer, and ksocknal_push_peer() will probably crash when called on it. To abort the outer loop properly, we need to test if "i <= peer_off", which indicates that all patching peers have been found. This bug can easily be reproduced by running lctl --net tcp push Signed-off-by: Mr NeilBrown <neilb@suse.com> Change-Id: I9468214c7e1a0154213586cac0deb61afaa1d53d Reviewed-on: https://review.whamcloud.com/34499 Tested-by: jenkins <devops@whamcloud.com> Tested-by: Maloo <maloo@whamcloud.com> Reviewed-by: James Simmons <jsimmons@infradead.org> Reviewed-by: Sonia Sharma <sharmaso@whamcloud.com> Reviewed-by: Oleg Drokin <green@whamcloud.com>
diff --git a/lnet/klnds/socklnd/socklnd.c b/lnet/klnds/socklnd/socklnd.c
@@ -1936,7 +1936,7 @@ ksocknal_push(struct lnet_ni *ni, struct lnet_process_id id)
 			}
 			read_unlock(&ksocknal_data.ksnd_global_lock);
 
-			if (i == 0) /* no match */
+			if (i <= peer_off) /* no match */
 				break;
 
 			rc = 0;

Original file line number	Diff line number	Diff line change
`@@ -1936,7 +1936,7 @@ ksocknal_push(struct lnet_ni *ni, struct lnet_process_id id)`
`1936`	`1936`	`}`
`1937`	`1937`	`read_unlock(&ksocknal_data.ksnd_global_lock);`
`1938`	`1938`
`1939`		`- if (i == 0) /* no match */`
	`1939`	`+ if (i <= peer_off) /* no match */`
`1940`	`1940`	`break;`
`1941`	`1941`
`1942`	`1942`	`rc = 0;`