Print this page
6742 Freed and reused idm_conn_t buffer leads to system panic.
Reviewed by: Rob Gittins <rob.gittins@nexenta.com>
Reviewed by: Steve Ping <steve.ping@nexenta.com>
Reviewed by: Dan McDonald <danmcd@omniti.com>
Reviewed by: Yuri Pankov <yuri.pankov@nexenta.com>
*** 20,29 ****
--- 20,30 ----
*/
/*
* Copyright 2010 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
+ * Copyright 2015 Nexenta Systems, Inc. All rights reserved.
*/
#ifndef _IDM_CONN_SM_H_
#define _IDM_CONN_SM_H_
#ifdef __cplusplus
*** 217,226 ****
--- 218,253 ----
"CS_S9B_WAIT_SND_DONE",
"CS_MAX_STATE"
};
#endif
+ /*
+ * Currently the state machine has a condition where idm_login_timeout() is
+ * left active after the connection has been closed. This causes the system
+ * to panic when idm_login_timeout() modifies the freed memory. In an attempt
+ * to isolate and find this issue special attention is being placed on
+ * the ic_state_timeout value. After each untimeout call the value will now
+ * be cleared. Just before the value is set the code will check for 0 and
+ * display an error. One final change is being done in idm_conn_sm_fini() which
+ * if ic_state_machine is not 0, an error message will be displayed and
+ * untimeout() called. That should prevent customer sites from seeing the
+ * panic. The code also calls ASSERT(0) which should cause a panic during
+ * system test.
+ */
+ #define IDM_SM_TIMER_CHECK(ic) \
+ if (ic->ic_state_timeout) { \
+ cmn_err(CE_WARN, "%s: existing timeout still set. " \
+ "state: %s, last: %s\n", __func__, \
+ idm_cs_name[ic->ic_state], \
+ idm_cs_name[ic->ic_last_state]); \
+ ASSERT(0); \
+ }
+
+ #define IDM_SM_TIMER_CLEAR(ic) \
+ (void) untimeout(ic->ic_state_timeout); \
+ ic->ic_state_timeout = 0;
+
typedef enum {
CT_NONE = 0,
CT_RX_PDU,
CT_TX_PDU
} idm_pdu_event_type_t;