Commit 72a1e6f8 authored by Xin Zhao's avatar Xin Zhao
Browse files

Bug-fix: avoid free NULL pointer in RMA.

req->dev.user_buf points to the data sent from origin process
to target process, and for FOP sometimes it points to the IMMED
area in packet header when data can be fit in packet header.
In such case, we should not free req->dev.user_buf in final
request handler since that data area will be freed by the
runtime when packet header is freed.

In this patch we initialize user_buf to NULL when creating the
request, and set it to NULL when FOP is completed, and avoid free
a NULL pointer in final request handler.
Signed-off-by: default avatarMin Si <>
parent 5f78f0fa
......@@ -322,7 +322,8 @@ int MPIDI_CH3_ReqHandler_GetAccumRespComplete( MPIDI_VC_t *vc,
if (rreq->dev.user_buf != NULL)
MPID_Win_get_ptr(rreq->dev.target_win_handle, win_ptr);
......@@ -616,6 +617,16 @@ int MPIDI_CH3_ReqHandler_FOPComplete( MPIDI_VC_t *vc,
/* Free temporary buffer allocated in PktHandler_FOP */
if (len > sizeof(int) * MPIDI_RMA_FOP_IMMED_INTS && rreq->dev.op != MPI_NO_OP) {
/* Assign user_buf to NULL so that reqHandler_GetAccumRespComplete()
will not try to free an empty buffer. */
rreq->dev.user_buf = NULL;
else {
/* FOP data fit in pkt header and user_buf just points to data area in pkt header
in pktHandler_FOP(), and it should be freed when pkt header is freed.
Here we assign user_buf to NULL so that reqHandler_GetAccumRespComplete()
will not try to free it. */
rreq->dev.user_buf = NULL;
*complete = 1;
......@@ -88,6 +88,7 @@ MPID_Request * MPID_Request_create(void)
req->dev.iov_offset = 0;
req->dev.flags = MPIDI_CH3_PKT_FLAG_NONE;
req->dev.resp_request_handle = MPI_REQUEST_NULL;
req->dev.user_buf = NULL;
req->dev.OnDataAvail = NULL;
req->dev.OnFinal = NULL;
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment