[openib-general] Re: different CM panic
Roland Dreier
rolandd at cisco.com
Fri Sep 9 20:54:05 PDT 2005
Well, at least I tracked this down to a use-after-free bug in the CM.
I went ahead and committed this trivial fix:
If the CM REQ handling function gets to error2, then it frees
cm_id_priv->timewait_info. But the next line goes through
ib_destroy_cm_id() -> ib_send_cm_rej() -> cm_reset_to_idle(),
which ends up calling cm_cleanup_timewait(), which dereferences the
pointer we just freed.
--- infiniband/core/cm.c (revision 3352)
+++ infiniband/core/cm.c (working copy)
@@ -1315,6 +1315,7 @@ error3: atomic_dec(&cm_id_priv->refcount
cm_deref_id(listen_cm_id_priv);
cm_cleanup_timewait(cm_id_priv->timewait_info);
error2: kfree(cm_id_priv->timewait_info);
+ cm_id_priv->timewait_info = NULL;
error1: ib_destroy_cm_id(&cm_id_priv->id);
return ret;
}
More information about the general
mailing list