* [ofa-general] [PATCH] opensm/osm_ucast_lash: fix use after free bug
[not found] ` <20090925135256.GE26931@me>
@ 2009-09-25 14:50 ` Sasha Khapyorsky
2009-09-25 22:15 ` Jim Schutt
2009-09-25 23:11 ` Hal Rosenstock
0 siblings, 2 replies; 3+ messages in thread
From: Sasha Khapyorsky @ 2009-09-25 14:50 UTC (permalink / raw)
To: OpenIB, linux-rdma
When LASH runs its switch structures cleanup OpenSM can rediscover a
subnet and 'p_sw' pointer may refer already freed memory, so don't touch
it, just free our own stuff. (Note also that for valids OpenSM switches
objects' 'priv' pointers are cleared on lash_cleanup()).
Signed-off-by: Sasha Khapyorsky <sashak@voltaire.com>
---
opensm/opensm/osm_ucast_lash.c | 5 +----
1 files changed, 1 insertions(+), 4 deletions(-)
diff --git a/opensm/opensm/osm_ucast_lash.c b/opensm/opensm/osm_ucast_lash.c
index dbc6bcc..3c424cb 100644
--- a/opensm/opensm/osm_ucast_lash.c
+++ b/opensm/opensm/osm_ucast_lash.c
@@ -628,8 +628,7 @@ static switch_t *switch_create(lash_t * p_lash, unsigned id, osm_switch_t * p_sw
}
sw->p_sw = p_sw;
- if (p_sw)
- p_sw->priv = sw;
+ p_sw->priv = sw;
if (osm_mesh_node_create(p_lash, sw)) {
free(sw->dij_channels);
@@ -644,8 +643,6 @@ static void switch_delete(lash_t *p_lash, switch_t * sw)
{
if (sw->dij_channels)
free(sw->dij_channels);
- if (sw->p_sw)
- sw->p_sw->priv = NULL;
free(sw);
}
--
1.6.5.rc1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] opensm/osm_ucast_lash: fix use after free bug
2009-09-25 14:50 ` [ofa-general] [PATCH] opensm/osm_ucast_lash: fix use after free bug Sasha Khapyorsky
@ 2009-09-25 22:15 ` Jim Schutt
2009-09-25 23:11 ` Hal Rosenstock
1 sibling, 0 replies; 3+ messages in thread
From: Jim Schutt @ 2009-09-25 22:15 UTC (permalink / raw)
To: Sasha Khapyorsky
Cc: OpenIB, linux-rdma,
hal.rosenstock-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org
Hi Sasha,
On Fri, 2009-09-25 at 08:50 -0600, Sasha Khapyorsky wrote:
> When LASH runs its switch structures cleanup OpenSM can rediscover a
> subnet and 'p_sw' pointer may refer already freed memory, so don't touch
> it, just free our own stuff. (Note also that for valids OpenSM switches
> objects' 'priv' pointers are cleared on lash_cleanup()).
This worked for me on the test case that generated
my earlier report.
Thanks -- Jim
>
> Signed-off-by: Sasha Khapyorsky <sashak-smomgflXvOZWk0Htik3J/w@public.gmane.org>
> ---
> opensm/opensm/osm_ucast_lash.c | 5 +----
> 1 files changed, 1 insertions(+), 4 deletions(-)
>
> diff --git a/opensm/opensm/osm_ucast_lash.c b/opensm/opensm/osm_ucast_lash.c
> index dbc6bcc..3c424cb 100644
> --- a/opensm/opensm/osm_ucast_lash.c
> +++ b/opensm/opensm/osm_ucast_lash.c
> @@ -628,8 +628,7 @@ static switch_t *switch_create(lash_t * p_lash, unsigned id, osm_switch_t * p_sw
> }
>
> sw->p_sw = p_sw;
> - if (p_sw)
> - p_sw->priv = sw;
> + p_sw->priv = sw;
>
> if (osm_mesh_node_create(p_lash, sw)) {
> free(sw->dij_channels);
> @@ -644,8 +643,6 @@ static void switch_delete(lash_t *p_lash, switch_t * sw)
> {
> if (sw->dij_channels)
> free(sw->dij_channels);
> - if (sw->p_sw)
> - sw->p_sw->priv = NULL;
> free(sw);
> }
>
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] opensm/osm_ucast_lash: fix use after free bug
2009-09-25 14:50 ` [ofa-general] [PATCH] opensm/osm_ucast_lash: fix use after free bug Sasha Khapyorsky
2009-09-25 22:15 ` Jim Schutt
@ 2009-09-25 23:11 ` Hal Rosenstock
1 sibling, 0 replies; 3+ messages in thread
From: Hal Rosenstock @ 2009-09-25 23:11 UTC (permalink / raw)
To: Sasha Khapyorsky; +Cc: OpenIB, linux-rdma, Jim Schutt
On 9/25/09, Sasha Khapyorsky <sashak-smomgflXvOZWk0Htik3J/w@public.gmane.org> wrote:
>
> When LASH runs its switch structures cleanup OpenSM can rediscover a
> subnet and 'p_sw' pointer may refer already freed memory, so don't touch
> it, just free our own stuff. (Note also that for valids OpenSM switches
> objects' 'priv' pointers are cleared on lash_cleanup()).
>
> Signed-off-by: Sasha Khapyorsky <sashak-smomgflXvOZWk0Htik3J/w@public.gmane.org>
Tested-by: Hal Rosenstock <hal.rosenstock-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
> ---
> opensm/opensm/osm_ucast_lash.c | 5 +----
> 1 files changed, 1 insertions(+), 4 deletions(-)
>
> diff --git a/opensm/opensm/osm_ucast_lash.c b/opensm/opensm/osm_ucast_lash.c
> index dbc6bcc..3c424cb 100644
> --- a/opensm/opensm/osm_ucast_lash.c
> +++ b/opensm/opensm/osm_ucast_lash.c
> @@ -628,8 +628,7 @@ static switch_t *switch_create(lash_t * p_lash, unsigned
> id, osm_switch_t * p_sw
> }
>
> sw->p_sw = p_sw;
> - if (p_sw)
> - p_sw->priv = sw;
> + p_sw->priv = sw;
>
> if (osm_mesh_node_create(p_lash, sw)) {
> free(sw->dij_channels);
> @@ -644,8 +643,6 @@ static void switch_delete(lash_t *p_lash, switch_t * sw)
> {
> if (sw->dij_channels)
> free(sw->dij_channels);
> - if (sw->p_sw)
> - sw->p_sw->priv = NULL;
> free(sw);
> }
>
> --
> 1.6.5.rc1
>
>
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2009-09-25 23:11 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <1251486496-24812-1-git-send-email-jaschut@sandia.gov>
[not found] ` <1251486496-24812-2-git-send-email-jaschut@sandia.gov>
[not found] ` <20090922185014.GF24398@me>
[not found] ` <1253651343.4776.1125.camel@sale659.sandia.gov>
[not found] ` <20090925135256.GE26931@me>
2009-09-25 14:50 ` [ofa-general] [PATCH] opensm/osm_ucast_lash: fix use after free bug Sasha Khapyorsky
2009-09-25 22:15 ` Jim Schutt
2009-09-25 23:11 ` Hal Rosenstock
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox