[openib-general] [PATCH] SDP: fix oops with port reuse

Tom Duffy tduffy at sun.com
Mon Jul 25 11:18:20 PDT 2005 

This patch fixes an oops that I introduced in my conversion to use linux
lists for binds (committed in revision 2874).  If two sockets tried to
use the same port, after failing to get the port (again), it would
attempt a put and the second attempt would oops the machine.  This patch
fixes the problem that looked like this:

Unable to handle kernel NULL pointer dereference at 0000000000000008 RIP:
<ffffffff8830ca0e>{:ib_sdp:sdp_inet_port_put+62}
PGD 0
Oops: 0002 [1] PREEMPT SMP
CPU 0
Modules linked in: ib_sdp ib_cm ipv6 parport_pc lp parport autofs4 i2c_dev i2c_core nfs lockd rfcomm l2cap bluetooth pcmcia yenta_socket rsrc_nonstatic pcmcia_core sunrpc ext3 jbd dm_mod video hotkey container button battery ac ohci_hcd tpm_atmel tpm hw_random shpchp ib_mthca ib_ipoib ib_sa ib_mad ib_core tg3 floppy mptspi xfs exportfs mptscsih mptbase sd_mod scsi_mod
Pid: 8914, comm: ttcp Not tainted 2.6.13-rc3openib
RIP: 0010:[<ffffffff8830ca0e>] <ffffffff8830ca0e>{:ib_sdp:sdp_inet_port_put+62}
RSP: 0018:ffff81006d79fdc8  EFLAGS: 00010002
RAX: 0000000000000000 RBX: ffff8100085f90b8 RCX: ffff8100085f9670
RDX: 0000000000000000 RSI: 0000000000000213 RDI: ffffffff8831d0b8
RBP: ffff8100085f90b8 R08: 0000000000000000 R09: ffff8100757f8e28
R10: ffff81006d79fd54 R11: 0000000000000000 R12: ffff8100085f9634
R13: ffff8100085f9640 R14: ffff81003f8db050 R15: 0000000000000000
FS:  00002aaaaaad7900(0000) GS:ffffffff80514800(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 0000000000000008 CR3: 0000000000101000 CR4: 00000000000006e0
Process ttcp (pid: 8914, threadinfo ffff81006d79e000, task ffff81007366a030)
Stack: ffff8100085f90b8 ffffffff8830d78b 0000000000000213 ffffffff883091d0
       ffff810023c2b110 ffffffff802f2b29 ffff81003fff3100 ffff810023c2b110
       0000000000000000 0000000000000213
Call Trace:<ffffffff8830d78b>{:ib_sdp:sdp_conn_put+171} <ffffffff883091d0>{:ib_sdp:sdp_inet_release+816}
       <ffffffff802f2b29>{release_sock+25} <ffffffff802ef819>{sock_release+25}
       <ffffffff802f03b5>{sock_close+53} <ffffffff80189452>{__fput+178}
       <ffffffff80186508>{filp_close+104} <ffffffff80138a44>{put_files_struct+116}
       <ffffffff80139bf7>{do_exit+535} <ffffffff8013a76c>{do_group_exit+252}
       <ffffffff8010dda2>{system_call+126}

Signed-off-by: Tom Duffy <tduffy at sun.com>

Index: drivers/infiniband/ulp/sdp/sdp_conn.c
===================================================================
--- drivers/infiniband/ulp/sdp/sdp_conn.c	(revision 2904)
+++ drivers/infiniband/ulp/sdp/sdp_conn.c	(working copy)
@@ -498,7 +498,8 @@ int sdp_inet_port_put(struct sdp_sock *c
 		return -EADDRNOTAVAIL;
 
 	spin_lock_irqsave(&dev_root_s.bind_lock, flags);
-	list_del(&conn->bind_next);
+	if (conn->src_port)
+		list_del(&conn->bind_next);
 	conn->src_port = 0;
 	spin_unlock_irqrestore(&dev_root_s.bind_lock, flags);

More information about the general mailing list