[openib-general] IPoIB oops on path record completion

[Roland Dreier]

    Hal> This is due to the following: ib_sa_path_rec_callback:
    Hal> sa_query 0xc0db0788 status 0xffffff92 mad 0x00000000 which
    Hal> invokes query-> callback(status, NULL, query->context);

    Hal> ipoib_main.c: static void path_rec_completion(int status,
    Hal> struct ib_sa_path_rec *pathrec, void *path_ptr)

    Hal> path_rec_completion is using the pathrec parameter as a
    Hal> pointer without checking it for NULL first.

Hmm... are you sure this is what causes the oops?
path_rec_completion() will only dereference the pathrec parameter if
its local variable ah is non-NULL:

	if (ah) {
		path->pathrec = *pathrec;

and ah can only be set to non-NULL if status is successful (ah is
initialized to NULL and the only place it can be changed is

		ah = ipoib_create_ah(path->dev, priv->pd, &av);

which is inside a test of status.

Can you give the exact sequence you use to duplicate this?  I haven't
been able to make it happen in my network.

    Hal> Also, what I do see when I do a broadcast ping is that the
    Hal> path record is obtained over and over rather than being
    Hal> requested once and cached.  Is that what is supposed to be
    Hal> happening now ?

No, that shouldn't happen.  I'll try to figure out what's happening.

 - R.