[bug report] IB/rxe: remove unnecessary skb_clone in xmit

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



[ It's slightly weird to me that this warning is only showing up now.
  My cross function DB is not entirely built so it may be a problem on
  my end.  - dan ]

Hello Zhu Yanjun,

The patch 5793b4652155: "IB/rxe: remove unnecessary skb_clone in
xmit" from Jan 8, 2018, leads to the following static checker warning:

	drivers/infiniband/sw/rxe/rxe_req.c:743 rxe_requester()
	warn: 'skb' was already freed.

drivers/infiniband/sw/rxe/rxe_net.c
   490  int rxe_send(struct rxe_pkt_info *pkt, struct sk_buff *skb)
   491  {
   492          struct rxe_av *av;
   493          int err;
   494  
   495          av = rxe_get_av(pkt);
   496  
   497          skb->destructor = rxe_skb_tx_dtor;
   498          skb->sk = pkt->qp->sk->sk;
   499  
   500          rxe_add_ref(pkt->qp);
   501          atomic_inc(&pkt->qp->skb_out);
   502  
   503          if (av->network_type == RDMA_NETWORK_IPV4) {
   504                  err = ip_local_out(dev_net(skb_dst(skb)->dev), skb->sk, skb);
   505          } else if (av->network_type == RDMA_NETWORK_IPV6) {
   506                  err = ip6_local_out(dev_net(skb_dst(skb)->dev), skb->sk, skb);
   507          } else {
   508                  pr_err("Unknown layer 3 protocol: %d\n", av->network_type);
   509                  atomic_dec(&pkt->qp->skb_out);
   510                  rxe_drop_ref(pkt->qp);
   511                  kfree_skb(skb);
                                  ^^^
We added this kfree(skb);

   512                  return -EINVAL;
   513          }
   514  
   515          if (unlikely(net_xmit_eval(err))) {
   516                  pr_debug("error sending packet: %d\n", err);
   517                  return -EAGAIN;
   518          }
   519  
   520          return 0;
   521  }

drivers/infiniband/sw/rxe/rxe_req.c
   715          /*
   716           * To prevent a race on wqe access between requester and completer,
   717           * wqe members state and psn need to be set before calling
   718           * rxe_xmit_packet().
   719           * Otherwise, completer might initiate an unjustified retry flow.
   720           */
   721          save_state(wqe, qp, &rollback_wqe, &rollback_psn);
   722          update_wqe_state(qp, wqe, &pkt);
   723          update_wqe_psn(qp, wqe, &pkt, payload);
   724          ret = rxe_xmit_packet(to_rdev(qp->ibqp.device), qp, &pkt, skb);
                                                                          ^^^
But Smatch thinks it gets passed back to here (which is is although
that might be unreachable on from this call site, I don't know).

   725          if (ret) {
   726                  qp->need_req_skb = 1;
   727  
   728                  rollback_state(wqe, qp, &rollback_wqe, rollback_psn);
   729  
   730                  if (ret == -EAGAIN) {
   731                          rxe_run_task(&qp->req.task, 1);
   732                          goto exit;
   733                  }
   734  
   735                  goto err;
   736          }
   737  
   738          update_state(qp, wqe, &pkt, payload);
   739  
   740          goto next_wqe;
   741  
   742  err:
   743          kfree_skb(skb);
                          ^^^
Double free here.

   744          wqe->status = IB_WC_LOC_PROT_ERR;
   745          wqe->state = wqe_state_error;
   746          __rxe_do_task(&qp->comp.task);
   747  
   748  exit:
   749          rxe_drop_ref(qp);

regards,
dan carpenter
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Photo]     [Yosemite News]     [Yosemite Photos]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux