[ofa-general] [PATCHv2] opensm/mesh/lash: Fix use after free problem in osm_mesh_node_delete

Hal Rosenstock hnrose at comcast.net
Fri Jul 31 06:51:47 PDT 2009 

When osm_mesh_node_delete is called, osm_switch_delete may already have
been called so sw->p_sw is no longer valid to be used although it was
being used to obtain num_ports.

Fix this by performing osm_mesh_delete_switches at the end of lash_process.

Signed-off-by: Hal Rosenstock <hal.rosenstock at gmail.com>
---
Changes since v1:
Rather than saving num_ports in the mesh node structure on creation and using
this on deletion, mesh switches deletion should occur at end of the lash
calculation as none of this state is needed after that 
Approach proposed by Sasha

diff --git a/opensm/include/opensm/osm_mesh.h b/opensm/include/opensm/osm_mesh.h
index 173fa86..89c07e5 100644
--- a/opensm/include/opensm/osm_mesh.h
+++ b/opensm/include/opensm/osm_mesh.h
@@ -1,5 +1,6 @@
 /*
  * Copyright (c) 2088      System Fabric Works, Inc.
+ * Copyright (c) 2009      HNR Consulting. All rights reserved.
  *
  * This software is available to you under a choice of one of two
  * licenses.  You may choose to be licensed under the terms of the GNU
@@ -70,6 +71,7 @@ typedef struct _mesh_node {
 } mesh_node_t;
 
 void osm_mesh_node_delete(struct _lash *p_lash, struct _switch *sw);
+void osm_mesh_delete_switches(struct _lash *p_lash);
 int osm_mesh_node_create(struct _lash *p_lash, struct _switch *sw);
 int osm_do_mesh_analysis(struct _lash *p_lash);
 
diff --git a/opensm/opensm/osm_mesh.c b/opensm/opensm/osm_mesh.c
index 23fad87..b22fe6e 100644
--- a/opensm/opensm/osm_mesh.c
+++ b/opensm/opensm/osm_mesh.c
@@ -1,5 +1,6 @@
 /*
  * Copyright (c) 2008,2009      System Fabric Works, Inc. All rights reserved.
+ * Copyright (c) 2009           HNR Consulting. All rights reserved.
  *
  * This software is available to you under a choice of one of two
  * licenses.  You may choose to be licensed under the terms of the GNU
@@ -1358,6 +1359,20 @@ void osm_mesh_node_delete(lash_t *p_lash, switch_t *sw)
 }
 
 /*
+ * osm_mesh_delete_switches - cleanup switches resources
+ */
+void osm_mesh_delete_switches(lash_t *p_lash)
+{
+	if (p_lash->switches) {
+		unsigned id;
+		for (id = 0; ((int)id) < p_lash->num_switches; id++)
+			if (p_lash->switches[id])
+				osm_mesh_node_delete(p_lash,
+						     p_lash->switches[id]);
+	}
+}
+
+/*
  * osm_mesh_node_create - allocate per switch resources
  */
 int osm_mesh_node_create(lash_t *p_lash, switch_t *sw)
diff --git a/opensm/opensm/osm_ucast_lash.c b/opensm/opensm/osm_ucast_lash.c
index 7133e25..2b50fe5 100644
--- a/opensm/opensm/osm_ucast_lash.c
+++ b/opensm/opensm/osm_ucast_lash.c
@@ -5,6 +5,7 @@
  * Copyright (c) 2007      Simula Research Laboratory. All rights reserved.
  * Copyright (c) 2007      Silicon Graphics Inc. All rights reserved.
  * Copyright (c) 2008,2009 System Fabric Works, Inc. All rights reserved.
+ * Copyright (c) 2009      HNR Consulting. All rights reserved.
  *
  * This software is available to you under a choice of one of two
  * licenses.  You may choose to be licensed under the terms of the GNU
@@ -1208,7 +1209,7 @@ static int lash_process(void *context)
 
 	return_status = discover_network_properties(p_lash);
 	if (return_status != IB_SUCCESS)
-		goto Exit;
+		goto Exit2;
 
 	return_status = init_lash_structures(p_lash);
 	if (return_status != IB_SUCCESS)
@@ -1223,6 +1224,9 @@ static int lash_process(void *context)
 	populate_fwd_tbls(p_lash);
 
 Exit:
+	osm_mesh_delete_switches(p_lash);
+
+Exit2:
 	if (p_lash->vl_min)
 		free_lash_structures(p_lash);
 	OSM_LOG_EXIT(p_log);

More information about the general mailing list