Re: [ofw] IBBUS patch - BS while calling to destroy PD

Wed, 24 Nov 2010 12:35:17 -0800 

Patch applies OK. Testing shows no signs of regression.
Please commit and I will add to winOFED 2.3 RC7

stan.

________________________________
From: [email protected] 
[mailto:[email protected]] On Behalf Of Uri Habusha
Sent: Wednesday, November 24, 2010 6:08 AM
To: '[email protected]'
Subject: [ofw] IBBUS patch - BS while calling to destroy PD

This patch comes to fix a BS in IBBUS that was caused due to access to 
uninitialized field.

It happens when allocation of PD object failed as a result the driver called to 
destroying PD function. This function access to field in object that was not 
initialized.
Since the function doesn't use these variables, I removed the code from the 
function.

Following is BS stack:

0: kd> kb
RetAddr           : Args to Child                                               
            : Call Site
fffff800`01773682 : 00000000`c0000005 fffffa80`09bf3b60 00000000`00000065 
fffff800`016bab14 : nt!DbgBreakPointWithStatus
fffff800`0177446e : fffff880`00000003 00000000`00000000 fffff800`016b76e0 
00000000`0000003b : nt!KiBugCheckDebugBreak+0x12
fffff800`0167c704 : 00000000`00000000 fffffa80`09bf3b60 fffff880`0802b510 
00000000`00000000 : nt!KeBugCheck2+0x71e
fffff800`0167bb69 : 00000000`0000003b 00000000`c0000005 fffff880`01c0af17 
fffff880`0802bd10 : nt!KeBugCheckEx+0x104
fffff800`0167b4bc : fffff880`0802c4a8 fffff880`0802bd10 00000000`00000000 
fffff800`016aab50 : nt!KiBugCheckDispatch+0x69
fffff800`016a22ed : fffff800`018a0338 fffff800`017c747c fffff800`0160c000 
fffff880`0802c4a8 : nt!KiSystemServiceHandler+0x7c
fffff800`016a9950 : fffff800`017cc1b0 fffff880`0802b648 fffff880`0802c4a8 
fffff800`0160c000 : nt!RtlpExecuteHandlerForException+0xd
fffff800`016b68df : fffff880`0802c4a8 fffff880`0802bd10 fffff880`00000000 
fffffa80`0a2b81f0 : nt!RtlDispatchException+0x410
fffff800`0167bc42 : fffff880`0802c4a8 fffffa80`0a523f20 fffff880`0802c550 
fffffa80`0a523f20 : nt!KiDispatchException+0x16f
fffff800`0167a7ba : 00000000`00000000 fffffa80`0a523f20 fffffa80`0a7c4800 
fffff800`016c79dc : nt!KiExceptionDispatch+0xc2
fffff880`01c0af17 : fffffa80`dbc8c000 00000000`00000040 fffff880`01cca26d 
00000000`00000040 : nt!KiPageFault+0x23a
fffff880`01c6b29b : 00000000`00000000 fffff880`01cca250 fffffa80`00000287 
fffffa80`dbc8c000 : ibbus!destroying_pd+0x67 
[s:\builds\6896\trunk\core\al\al_pd.c @ 198]
fffff880`01c6a6a5 : fffffa80`dbc8c000 00000000`00000000 00000000`00000000 
fffffa80`00000000 : ibbus!destroy_obj+0x45b 
[s:\builds\6896\trunk\core\al\al_common.c @ 665]
fffff880`01c0a80e : fffffa80`dbc8c000 00000000`00000000 00000000`00000001 
fffff880`01c0aeb0 : ibbus!async_destroy_obj+0xd5 
[s:\builds\6896\trunk\core\al\al_common.c @ 536]
fffff880`01c7cd63 : fffffa80`099ed000 fffff880`00000000 00000000`7637ce80 
fffff880`0802c890 : ibbus!alloc_pd+0x35e [s:\builds\6896\trunk\core\al\al_pd.c 
@ 121]
fffff880`01c86379 : fffffa80`08a057d0 fffffa80`0a2b81f0 fffff880`0802c988 
00000000`00000369 : ibbus!proxy_alloc_pd+0x243 
[s:\builds\6896\trunk\core\al\kernel\al_proxy_verbs.c @ 876]
fffff880`01c0379d : fffffa80`0a2b81f0 fffff880`0802c988 fffff6fc`400186e8 
fffff880`030dd000 : ibbus!verbs_ioctl+0x239 
[s:\builds\6896\trunk\core\al\kernel\al_proxy_verbs.c @ 3785]
fffff880`01bade40 : fffffa80`0a2b81f0 fffffa80`0a523f20 fffff880`0802cca0 
fffffa80`0a523f20 : ibbus!al_dev_ioctl+0x2fd 
[s:\builds\6896\trunk\core\al\kernel\al_dev.c @ 461]
fffff800`019986b7 : fffffa80`0a7c4860 fffffa80`0a2b81f0 fffffa80`0a2b8308 
fffffa80`0a2b81f0 : ibbus!bus_drv_ioctl+0x210 
[s:\builds\6896\trunk\core\bus\kernel\bus_driver.c @ 884]
fffff800`01998f16 : 00000000`0026f650 00000000`00000000 00000000`00000000 
00000000`00000000 : nt!IopXxxControlFile+0x607


Index: al_pd.c
===================================================================
--- al_pd.c           (revision 6902)
+++ al_pd.c        (working copy)
@@ -182,8 +182,6 @@
 destroying_pd(
                IN                                                           
al_obj_t                                                                        
       *p_obj )
 {
-              ib_al_handle_t                                 h_al;
-              ib_ca_handle_t                                                
h_ca;
                ib_pd_handle_t                                               
h_pd;
                ib_mw_handle_t                                             h_mw;
                cl_list_item_t                                    *p_list_item;
@@ -191,13 +189,8 @@

                CL_ASSERT( p_obj );
                h_pd = PARENT_STRUCT( p_obj, ib_pd_t, obj );
+             CL_ASSERT( h_pd );

-              /* Get the AL instance of this protection domain. */
-              p_obj = h_pd->obj.p_parent_obj;
-              h_ca = PARENT_STRUCT( p_obj, ib_ca_t, obj );
-              p_obj = h_ca->obj.p_parent_obj;
-              h_al = PARENT_STRUCT( p_obj, ib_al_t, obj );
-
                /*
                 * Deallocate all MW's before proceeding with destruction.  
This ensures
                 * that all MW's have been destroyed before any MR's are.

_______________________________________________
ofw mailing list
[email protected]
http://lists.openfabrics.org/cgi-bin/mailman/listinfo/ofw

Reply via email to