From patchwork Fri Sep 25 14:50:45 2009
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Sasha Khapyorsky <sashak@voltaire.com>
X-Patchwork-Id: 50130
Received: from vger.kernel.org (vger.kernel.org [209.132.176.167])
	by demeter.kernel.org (8.14.2/8.14.2) with ESMTP id n8PEnWCq031141
	for <patchwork-linux-rdma@patchwork.kernel.org>;
	Fri, 25 Sep 2009 14:49:32 GMT
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752962AbZIYOtC (ORCPT
	<rfc822;patchwork-linux-rdma@patchwork.kernel.org>);
	Fri, 25 Sep 2009 10:49:02 -0400
Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1752955AbZIYOtA
	(ORCPT <rfc822;linux-rdma-outgoing>);
	Fri, 25 Sep 2009 10:49:00 -0400
Received: from mail-bw0-f210.google.com ([209.85.218.210]:59676 "EHLO
	mail-bw0-f210.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752776AbZIYOs6 (ORCPT
	<rfc822; linux-rdma@vger.kernel.org>); Fri, 25 Sep 2009 10:48:58 -0400
Received: by bwz6 with SMTP id 6so2078629bwz.37
	for <linux-rdma@vger.kernel.org>;
	Fri, 25 Sep 2009 07:49:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:received:received:sender:received:date:from:to
	:cc:subject:message-id:references:mime-version:content-type
	:content-disposition:in-reply-to:user-agent;
	bh=VkS9gubgyV+O4Ohq7lTw28wxa6iyQO4rX6+i9+68eHM=;
	b=SCKx2gc383MnecR9vism+bPYmmLx/zqj94qtruE47mxRr/KVcME4AI7+NLksCzZCcg
	3naqEZnvLRFcw9sbMyJSmVoS29HitBOLIPj3fEayx67XPhdmwWdcLTJiHlJh/bkDQsFN
	Lh3ovmEBzrE+OsVlRRJV1t+WzfP8NNyMJ66nQ=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=sender:date:from:to:cc:subject:message-id:references:mime-version
	:content-type:content-disposition:in-reply-to:user-agent;
	b=rh+QCj1R9n1XdnP6KRfEedEaW7WDA52ZpYt31IDGsp1wBZHMmWoPP8qQ+ldsO5BcLg
	FO7mClmpN4solvmSs4Z0htfQo8Nu6bhGxXMVo1e1Fjjlw6/8Ls1rBIBeqUTZ2i6NCsuc
	GzpKHi+7G76xWF76RiEJF4Oxu+atvUFxK7aF8=
Received: by 10.204.34.72 with SMTP id k8mr195102bkd.98.1253890140836;
	Fri, 25 Sep 2009 07:49:00 -0700 (PDT)
Received: from me.localdomain (85.64.35.106.dynamic.barak-online.net
	[85.64.35.106]) by mx.google.com with ESMTPS id
	e17sm4146143fke.32.2009.09.25.07.48.59
	(version=TLSv1/SSLv3 cipher=RC4-MD5);
	Fri, 25 Sep 2009 07:48:59 -0700 (PDT)
Received: by me.localdomain (Postfix, from userid 1000)
	id D222F418E8; Fri, 25 Sep 2009 17:50:45 +0300 (IDT)
Date: Fri, 25 Sep 2009 17:50:45 +0300
From: Sasha Khapyorsky <sashak@voltaire.com>
To: OpenIB <general@lists.openfabrics.org>,
	linux-rdma <linux-rdma@vger.kernel.org>
Cc: Jim Schutt <jaschut@sandia.gov>,
	"hal.rosenstock@gmail.com" <hal.rosenstock@gmail.com>
Subject: [PATCH] opensm/osm_ucast_lash: fix use after free bug
Message-ID: <20090925145045.GF26931@me>
References: <1251486496-24812-1-git-send-email-jaschut@sandia.gov>
	<1251486496-24812-2-git-send-email-jaschut@sandia.gov>
	<20090922185014.GF24398@me>
	<1253651343.4776.1125.camel@sale659.sandia.gov>
	<20090925135256.GE26931@me>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <20090925135256.GE26931@me>
User-Agent: Mutt/1.5.20 (2009-06-14)
Sender: linux-rdma-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-rdma.vger.kernel.org>
X-Mailing-List: linux-rdma@vger.kernel.org

When LASH runs its switch structures cleanup OpenSM can rediscover a
subnet and 'p_sw' pointer may refer already freed memory, so don't touch
it, just free our own stuff. (Note also that for valids OpenSM switches
objects' 'priv' pointers are cleared on lash_cleanup()).

Signed-off-by: Sasha Khapyorsky <sashak@voltaire.com>
Tested-by: Hal Rosenstock <hal.rosenstock@gmail.com>
---
 opensm/opensm/osm_ucast_lash.c |    5 +----
 1 files changed, 1 insertions(+), 4 deletions(-)

diff --git a/opensm/opensm/osm_ucast_lash.c b/opensm/opensm/osm_ucast_lash.c
index dbc6bcc..3c424cb 100644
--- a/opensm/opensm/osm_ucast_lash.c
+++ b/opensm/opensm/osm_ucast_lash.c
@@ -628,8 +628,7 @@ static switch_t *switch_create(lash_t * p_lash, unsigned id, osm_switch_t * p_sw
 	}
 
 	sw->p_sw = p_sw;
-	if (p_sw)
-		p_sw->priv = sw;
+	p_sw->priv = sw;
 
 	if (osm_mesh_node_create(p_lash, sw)) {
 		free(sw->dij_channels);
@@ -644,8 +643,6 @@ static void switch_delete(lash_t *p_lash, switch_t * sw)
 {
 	if (sw->dij_channels)
 		free(sw->dij_channels);
-	if (sw->p_sw)
-		sw->p_sw->priv = NULL;
 	free(sw);
 }