[ofa-general] Re: Dereferencing freed memory bugs
Tung, Chien Tin
chien.tin.tung at intel.com
Wed Apr 1 12:24:57 PDT 2009
>Hmm, maybe I'm not reading the results correctly -- for example, in the
>latest git tree, line 621 of nes_cm.c is:
>
> nes_debug(NES_DBG_CM, "Retransmitting
>send_entry %p "
> "for node %p, jiffies = %lu,
>time to send = "
> "%lu, retranscount = %u,
>send_entry->seq_num = "
> "0x%08X,
>cm_node->tcp_cntxt.rem_ack_num = "
> "0x%08X\n", send_entry,
>cm_node, jiffies,
> send_entry->timetosend,
> = 621 => send_entry->retranscount,
> send_entry->seq_num,
> cm_node->tcp_cntxt.rem_ack_num);
>
>or is 621 not the line number?
>
> - R.
This is from linux-2.6.29 tar file, nes_cm.c:
if (last_state == NES_CM_STATE_SYN_RCVD)
rem_ref_cm_node(cm_core, cm_node);
else
create_event(cm_node,
NES_CM_EVENT_ABORTED);
563 ==> spin_lock_irqsave(&cm_node->retrans_list_lock,
flags);
[...]
} else {
int close_when_complete;
close_when_complete =
send_entry->close_when_complete;
nes_debug(NES_DBG_CM, "cm_node=%p state=%d\n",
cm_node, cm_node->state);
free_retrans_entry(cm_node);
if (close_when_complete)
rem_ref_cm_node(cm_node->cm_core,
cm_node);
}
} while (0);
621 ==> spin_unlock_irqrestore(&cm_node->retrans_list_lock, flags);
rem_ref_cm_node(cm_node->cm_core, cm_node);
if (ret != NETDEV_TX_OK) {
The reason for the warning is probably from rem_ref_cm_node() call where
a cm_node will get freed if the reference count is 0. At the top of the
function is a loop where a cm_node with TX or RX will get its ref count
incremented and placed on a list. The rest of the function only process
cm_nodes off that list. Theoretically, a cm_node shouldn't get freed before
622.
Chien
More information about the general
mailing list