[openib-general] CM oops on sending DREQ and DREP when not in proper state
Hal Rosenstock
halr at voltaire.com
Tue Mar 22 09:19:23 PST 2005
Hi Sean,
In cm.c, in both ib_send_cm_dreq() and ib_send_cm_drep(), there are
checks for the connection being in the proper state. When this check
fails, the allocated message is attempted to be freed but it is done
from cm_id_priv->msg despite that never being stored in this error case
and just msg being correct.
int ib_send_cm_dreq
{
...
if (cm_id->state != IB_CM_ESTABLISHED) {
spin_unlock_irqrestore(&cm_id_priv->lock, flags);
ret = -EINVAL;
goto out;
...
if (!ret) {
cm_id->state = IB_CM_DREQ_SENT;
cm_id_priv->msg = msg;
} else
cm_enter_timewait(cm_id_priv);
spin_unlock_irqrestore(&cm_id_priv->lock, flags);
out:
if (!msg_ret && ret)
cm_free_msg(cm_id_priv->msg);
return ret;
Similarly for ib_send_cm_dreq.
Thanks.
-- Hal
More information about the general
mailing list