[ofa-general] Re: Dereferencing freed memory bugs
Latif, Faisal
faisal.latif at intel.com
Thu Apr 2 14:36:14 PDT 2009
Thanks Dan for the input. There were 3 issues (comments inline) that required changes while others were OK. I will be creating a patch for them as you pointed out.
Faisal
>-----Original Message-----
>From: Dan Carpenter [mailto:error27 at gmail.com]
>Sent: Thursday, April 02, 2009 1:38 AM
>To: Tung, Chien Tin
>Cc: Roland Dreier; Marcin Slusarz; general at lists.openfabrics.org
>Subject: Re: [ofa-general] Re: Dereferencing freed memory bugs
>
>I checked it with 2.6.29-git9. There were still a couple issues in
>drivers/infiniband/hw/nes/nes_cm.c.
>
> 428 if (cm_node->recv_entry) {
> 429 WARN_ON(1);
> 430 return -EINVAL;
> 431 }
>
>missing kfree(new_send);
Will be adding the kfree() before the WARN_ON(.
>
> 521 rem_ref_cm_node(cm_node->cm_core, cm_node);
> 522 }
> 523 if (cm_node->cm_id)
> 524 cm_id->rem_ref(cm_id);
>
>dereferencing freed memory. rem_ref_cm_node can call kfree on cm_node.
>
> 662
>rem_ref_cm_node(cm_node->cm_core,
> 663 cm_node);
> 664 }
> 665 } while (0);
> 666
> 667
>spin_unlock_irqrestore(&cm_node->retrans_list_lock, flags);
>
>same.
All the above were OK in the code. rem_ref_cm_node() will not be freeing up the cm_node memory as its ref_count will always be greater than 1 in above situations. The rem_ref_cm_node() will be decrementing the ref_count and returning.
>
> 1265 cm_node->freed = 1;
> 1266 kfree(cm_node);
>
>You can't actually checked cm_node->freed if it's freed.
Yes, this was leftover from previous debugging where we had commented out kfree() temporarily to find a bug. I removed the freed flag from the cm_node as it was not used anywhere else.
>
> 2007 loopbackremotenode =
>make_cm_node(cm_core, nesvnic,
> 2008 &loopback_cm_info,
>loopbackremotelistener);
> 2009 loopbackremotenode->loopbackpartner =
>cm_node;
>
>make_cm_node() returns NULL in low memory situations.
Yes I will fix the above.
>
>Don't forget to add the reported by sticker. :P
>Reported-by: Dan Carpenter <error27 at gmail.com>
>
>regards,
>dan carpenter
More information about the general
mailing list