[openib-general] Re: different CM panic

[Sean Hefty]

Roland Dreier wrote:
> Well, at least I tracked this down to a use-after-free bug in the CM.
> I went ahead and committed this trivial fix:
> 
> If the CM REQ handling function gets to error2, then it frees
> cm_id_priv->timewait_info.  But the next line goes through
> ib_destroy_cm_id() -> ib_send_cm_rej() -> cm_reset_to_idle(),
> which ends up calling cm_cleanup_timewait(), which dereferences the
> pointer we just freed.

Thanks for fixing this.

- Sean