[openib-general] [Bug 184] New: System crashes on shutdown due to access of freed memory

bugzilla-daemon at openib.org bugzilla-daemon at openib.org
Wed Aug 2 19:25:28 PDT 2006 

http://openib.org/bugzilla/show_bug.cgi?id=184

           Summary: System crashes on shutdown due to access of freed memory
           Product: OpenFabrics Windows
           Version: unspecified
          Platform: X86
        OS/Version: Other
            Status: NEW
          Severity: critical
          Priority: P2
         Component: Core
        AssignedTo: bugzilla at openib.org
        ReportedBy: jbottorff at xsigo.com


This is for release 432.

On system shutdown, driver verifier detects access to freed memory in
core\al\kernel\al_ioc_pnp.c. Without verifier, this causes a crash moments
later.

The problem seems to be in 

static void
__process_sweep(
IN cl_async_proc_item_t *p_async_item )
{
ib_api_status_t status;
ioc_sweep_results_t *p_results;

AL_ENTER( AL_DBG_PNP );
p_results = PARENT_STRUCT( p_async_item, ioc_sweep_results_t, async_item );
CL_ASSERT( !p_results->p_svc->query_cnt );

if( p_results->p_svc->obj.state == CL_DESTROYING )
{
__put_iou_map( gp_ioc_pnp, &p_results->iou_map );
cl_free( p_results );
}

/* Walk the map of IOUs and discard any that didn't respond to IOU info. */
__flush_duds( p_results );
switch( p_results->state )
{
case SWEEP_IOU_INFO:
…

Pretty clearly, if the code path for p_results->p_svc->obj.state ==
CL_DESTROYING is taken, and cl_free (p_results) is called, the following
statements that access p_results are going to be invalid.

I believe this also may cause an error that's reported as a double freeing of
memory, if the function frees p_results at the top, and then makes it to the
bottom where it may free p_results again.

The stack looks like:
bafc7c94 ba954be8 00000000 8fdf6ff0 00000000 nt!KiTrap0E+0xe4
bafc7d28 ba965221 8fdf6f80 00000000 00000001 ibbus!cl_fmap_head+0x38
[k:\windows-openib\src\winib-432\inc\complib\cl_fleximap.h @ 486]
bafc7d50 ba964e85 8fdf6f58 859d0020 00000000 ibbus!__flush_duds+0xa1
[k:\windows-openib\src\winib-432\core\al\kernel\al_ioc_pnp.c @ 2225]
bafc7d70 ba950884 8fdf6f58 00000001 8fdf6f58 ibbus!__process_sweep+0x105
[k:\windows-openib\src\winib-432\core\al\kernel\al_ioc_pnp.c @ 2295]
bafc7d8c ba956b54 86af2e74 86af2e74 00000000 ibbus!__cl_async_proc_worker+0x94
[k:\windows-openib\src\winib-432\core\complib\cl_async_proc.c @ 153]
bafc7da0 ba958c0c 86af2e74 bafc7ddc 80a07678
ibbus!__cl_thread_pool_routine+0x54
[k:\windows-openib\src\winib-432\core\complib\cl_threadpool.c @ 67]
bafc7dac 80a07678 87208fe0 00000000 00000000 ibbus!__thread_callback+0x2c
[k:\windows-openib\src\winib-432\core\complib\kernel\cl_thread.c @ 49]
bafc7ddc 80781346 ba958be0 87208fe0 00000000 nt!PspSystemThreadStartup+0x2e
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the general mailing list