[ofw] [ofw'[Patch][opensm] Avoid dangling reference

Hal Rosenstock hal.rosenstock at gmail.com
Tue Mar 22 09:29:24 PDT 2011 

Stan,

On Tue, Mar 22, 2011 at 12:03 PM, Smith, Stan <stan.smith at intel.com> wrote:
> Hello,
>
>   Any idea as to how/why p_madw->resp_expected would change between  saving
> the value and later testing it?

The issue is that the p_madw is freed if response is not expected so
it's not valid to check it later in that case.

This is the incorporation of a patch accepted into OpenSM (Linux):

osm_vl15intf.c: fixing use-after-free coredump

author Yevgeny Kliteynik <kliteyn at mellanox.co.il>
 Mon, 11 Oct 2010 11:04:22 +0000 (13:04 +0200)
committer Sasha Khapyorsky <sashak at voltaire.com>
 Mon, 25 Oct 2010 18:22:51 +0000 (20:22 +0200)
commit c1c87305f8a089286ba65ea0aa0df60b47c88295
tree 2529b582b3c91ef2b4dcb15a9558baf00989cce1 tree | snapshot
parent 3353f9b9db76bab15b13ba73f9d18cd53d8e432b

osm_vl15intf.c: fixing use-after-free coredump

p_madw is freed if responce is not expected.

Signed-off-by: Yevgeny Kliteynik <kliteyn at dev.mellanox.co.il>
Signed-off-by: Sasha Khapyorsky <sashak at voltaire.com>

-- Hal

>
> Stan.
>
>
>
> From: ofw-bounces at lists.openfabrics.org
> [mailto:ofw-bounces at lists.openfabrics.org] On Behalf Of Alex Naslednikov
> Sent: Tuesday, March 22, 2011 6:30 AM
>
> To: ofw at lists.openfabrics.org
> Subject: [ofw] [ofw'[Patch][opensm] Avoid dangling reference
>
>
>
> Do not use mad wrapper pointer after deleting it.
>
> The old code tried to access already de-allocated pointer, which caused to
> dangling reference
>
> Signed-off by: Alexander Naslednikov (xalex at mellanox.co.il)
>
> Index: B:/users/xalex/MLNX_VPI_trunk/ulp/opensm/user/opensm/osm_vl15intf.c
>
> ===================================================================
>
> ---
> B:/users/xalex/MLNX_VPI_trunk/ulp/opensm/user/opensm/osm_vl15intf.c
> (revision 7562)
>
> +++
> B:/users/xalex/MLNX_VPI_trunk/ulp/opensm/user/opensm/osm_vl15intf.c
> (revision 7563)
>
> @@ -63,7 +63,8 @@
>
>                    since we can have no confirmation that they arrived
>
>                    at their destination.
>
>                  */
>
> -              if (p_madw->resp_expected == TRUE)
>
> +             boolean_t resp_expected = p_madw->resp_expected;
>
> +             if (resp_expected == TRUE)
>
>                                 /*
>
>                                    Note that other threads may not see the
> response MAD
>
>                                    arrive before send() even returns.
>
> @@ -103,7 +104,7 @@
>
>                    qp0_mads_outstanding will be decremented by send error
> callback
>
>                    (called by osm_vendor_send() */
>
>                 cl_atomic_dec(&p_vl->p_stats->qp0_mads_sent);
>
> -              if (!p_madw->resp_expected)
>
> +             if (!resp_expected)
>
>
> cl_atomic_dec(&p_vl->p_stats->qp0_unicasts_sent);
>
>  }
>
>
>
>
>
> Alexander (XaleX) Naslednikov
>
> SW Networking Team
>
> Mellanox Technologies
>
>
>
> _______________________________________________
> ofw mailing list
> ofw at lists.openfabrics.org
> http://lists.openfabrics.org/cgi-bin/mailman/listinfo/ofw
>

More information about the ofw mailing list