[ofw] IBBUS patch - BS while calling to destroy PD

Uri Habusha urih at mellanox.co.il
Wed Nov 24 06:07:43 PST 2010


This patch comes to fix a BS in IBBUS that was caused due to access to uninitialized field.

It happens when allocation of PD object failed as a result the driver called to destroying PD function. This function access to field in object that was not initialized.
Since the function doesn't use these variables, I removed the code from the function.

Following is BS stack:

0: kd> kb
RetAddr           : Args to Child                                                           : Call Site
fffff800`01773682 : 00000000`c0000005 fffffa80`09bf3b60 00000000`00000065 fffff800`016bab14 : nt!DbgBreakPointWithStatus
fffff800`0177446e : fffff880`00000003 00000000`00000000 fffff800`016b76e0 00000000`0000003b : nt!KiBugCheckDebugBreak+0x12
fffff800`0167c704 : 00000000`00000000 fffffa80`09bf3b60 fffff880`0802b510 00000000`00000000 : nt!KeBugCheck2+0x71e
fffff800`0167bb69 : 00000000`0000003b 00000000`c0000005 fffff880`01c0af17 fffff880`0802bd10 : nt!KeBugCheckEx+0x104
fffff800`0167b4bc : fffff880`0802c4a8 fffff880`0802bd10 00000000`00000000 fffff800`016aab50 : nt!KiBugCheckDispatch+0x69
fffff800`016a22ed : fffff800`018a0338 fffff800`017c747c fffff800`0160c000 fffff880`0802c4a8 : nt!KiSystemServiceHandler+0x7c
fffff800`016a9950 : fffff800`017cc1b0 fffff880`0802b648 fffff880`0802c4a8 fffff800`0160c000 : nt!RtlpExecuteHandlerForException+0xd
fffff800`016b68df : fffff880`0802c4a8 fffff880`0802bd10 fffff880`00000000 fffffa80`0a2b81f0 : nt!RtlDispatchException+0x410
fffff800`0167bc42 : fffff880`0802c4a8 fffffa80`0a523f20 fffff880`0802c550 fffffa80`0a523f20 : nt!KiDispatchException+0x16f
fffff800`0167a7ba : 00000000`00000000 fffffa80`0a523f20 fffffa80`0a7c4800 fffff800`016c79dc : nt!KiExceptionDispatch+0xc2
fffff880`01c0af17 : fffffa80`dbc8c000 00000000`00000040 fffff880`01cca26d 00000000`00000040 : nt!KiPageFault+0x23a
fffff880`01c6b29b : 00000000`00000000 fffff880`01cca250 fffffa80`00000287 fffffa80`dbc8c000 : ibbus!destroying_pd+0x67 [s:\builds\6896\trunk\core\al\al_pd.c @ 198]
fffff880`01c6a6a5 : fffffa80`dbc8c000 00000000`00000000 00000000`00000000 fffffa80`00000000 : ibbus!destroy_obj+0x45b [s:\builds\6896\trunk\core\al\al_common.c @ 665]
fffff880`01c0a80e : fffffa80`dbc8c000 00000000`00000000 00000000`00000001 fffff880`01c0aeb0 : ibbus!async_destroy_obj+0xd5 [s:\builds\6896\trunk\core\al\al_common.c @ 536]
fffff880`01c7cd63 : fffffa80`099ed000 fffff880`00000000 00000000`7637ce80 fffff880`0802c890 : ibbus!alloc_pd+0x35e [s:\builds\6896\trunk\core\al\al_pd.c @ 121]
fffff880`01c86379 : fffffa80`08a057d0 fffffa80`0a2b81f0 fffff880`0802c988 00000000`00000369 : ibbus!proxy_alloc_pd+0x243 [s:\builds\6896\trunk\core\al\kernel\al_proxy_verbs.c @ 876]
fffff880`01c0379d : fffffa80`0a2b81f0 fffff880`0802c988 fffff6fc`400186e8 fffff880`030dd000 : ibbus!verbs_ioctl+0x239 [s:\builds\6896\trunk\core\al\kernel\al_proxy_verbs.c @ 3785]
fffff880`01bade40 : fffffa80`0a2b81f0 fffffa80`0a523f20 fffff880`0802cca0 fffffa80`0a523f20 : ibbus!al_dev_ioctl+0x2fd [s:\builds\6896\trunk\core\al\kernel\al_dev.c @ 461]
fffff800`019986b7 : fffffa80`0a7c4860 fffffa80`0a2b81f0 fffffa80`0a2b8308 fffffa80`0a2b81f0 : ibbus!bus_drv_ioctl+0x210 [s:\builds\6896\trunk\core\bus\kernel\bus_driver.c @ 884]
fffff800`01998f16 : 00000000`0026f650 00000000`00000000 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0x607


Index: al_pd.c
===================================================================
--- al_pd.c           (revision 6902)
+++ al_pd.c        (working copy)
@@ -182,8 +182,6 @@
 destroying_pd(
                IN                                                           al_obj_t                                                                               *p_obj )
 {
-              ib_al_handle_t                                 h_al;
-              ib_ca_handle_t                                                h_ca;
                ib_pd_handle_t                                               h_pd;
                ib_mw_handle_t                                             h_mw;
                cl_list_item_t                                    *p_list_item;
@@ -191,13 +189,8 @@

                CL_ASSERT( p_obj );
                h_pd = PARENT_STRUCT( p_obj, ib_pd_t, obj );
+             CL_ASSERT( h_pd );

-              /* Get the AL instance of this protection domain. */
-              p_obj = h_pd->obj.p_parent_obj;
-              h_ca = PARENT_STRUCT( p_obj, ib_ca_t, obj );
-              p_obj = h_ca->obj.p_parent_obj;
-              h_al = PARENT_STRUCT( p_obj, ib_al_t, obj );
-
                /*
                 * Deallocate all MW's before proceeding with destruction.  This ensures
                 * that all MW's have been destroyed before any MR's are.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openfabrics.org/pipermail/ofw/attachments/20101124/174c5af3/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ibbus_bs_destroy_pd.patch
Type: application/octet-stream
Size: 842 bytes
Desc: ibbus_bs_destroy_pd.patch
URL: <http://lists.openfabrics.org/pipermail/ofw/attachments/20101124/174c5af3/attachment.obj>


More information about the ofw mailing list