On Fri, Jul 30, 2021 at 01:15:39PM -0400, James Carlson wrote:
> >> 2798 skb_queue_walk_safe(list, p, tmp) {
> >> 2799 if (p == head)
> >
> > One of the weak points of Smatch is how it parses lists... Also it
> > doesn't have any implications for this if (p == head) condition.
>
> This is where things break down. That queue walker macro on line 2798
> re-assigns 'p'. The code marches over the list and says "anything that
> still exists up to (but not including) the head for this completed
> packet is trash." Note that *NOTHING* here is harming 'head' or
> anything in the list that follows that buffer -- which includes 'tail.'
Crud... I can't believe I misread this code twice.
I'm not actually sure why Smatch doesn't get this correct. I wanted to
blame it on the new unpublished bits but even the published code is
buggy. :/ I will investigate and fix this.
Thanks for taking the time on this.
regards,
dan carpenter
