Hi, Dan
What tool are you using to find this problem?
Zhu Yanjun
On 2018/6/5 18:05, Dan Carpenter wrote:
[ It's slightly weird to me that this warning is only showing up now.
My cross function DB is not entirely built so it may be a problem on
my end. - dan ]
Hello Zhu Yanjun,
The patch 5793b4652155: "IB/rxe: remove unnecessary skb_clone in
xmit" from Jan 8, 2018, leads to the following static checker warning:
drivers/infiniband/sw/rxe/rxe_req.c:743 rxe_requester()
warn: 'skb' was already freed.
drivers/infiniband/sw/rxe/rxe_net.c
490 int rxe_send(struct rxe_pkt_info *pkt, struct sk_buff *skb)
491 {
492 struct rxe_av *av;
493 int err;
494
495 av = rxe_get_av(pkt);
496
497 skb->destructor = rxe_skb_tx_dtor;
498 skb->sk = pkt->qp->sk->sk;
499
500 rxe_add_ref(pkt->qp);
501 atomic_inc(&pkt->qp->skb_out);
502
503 if (av->network_type == RDMA_NETWORK_IPV4) {
504 err = ip_local_out(dev_net(skb_dst(skb)->dev), skb->sk, skb);
505 } else if (av->network_type == RDMA_NETWORK_IPV6) {
506 err = ip6_local_out(dev_net(skb_dst(skb)->dev), skb->sk, skb);
507 } else {
508 pr_err("Unknown layer 3 protocol: %d\n", av->network_type);
509 atomic_dec(&pkt->qp->skb_out);
510 rxe_drop_ref(pkt->qp);
511 kfree_skb(skb);
^^^
We added this kfree(skb);
512 return -EINVAL;
513 }
514
515 if (unlikely(net_xmit_eval(err))) {
516 pr_debug("error sending packet: %d\n", err);
517 return -EAGAIN;
518 }
519
520 return 0;
521 }
drivers/infiniband/sw/rxe/rxe_req.c
715 /*
716 * To prevent a race on wqe access between requester and completer,
717 * wqe members state and psn need to be set before calling
718 * rxe_xmit_packet().
719 * Otherwise, completer might initiate an unjustified retry flow.
720 */
721 save_state(wqe, qp, &rollback_wqe, &rollback_psn);
722 update_wqe_state(qp, wqe, &pkt);
723 update_wqe_psn(qp, wqe, &pkt, payload);
724 ret = rxe_xmit_packet(to_rdev(qp->ibqp.device), qp, &pkt, skb);
^^^
But Smatch thinks it gets passed back to here (which is is although
that might be unreachable on from this call site, I don't know).
725 if (ret) {
726 qp->need_req_skb = 1;
727
728 rollback_state(wqe, qp, &rollback_wqe, rollback_psn);
729
730 if (ret == -EAGAIN) {
731 rxe_run_task(&qp->req.task, 1);
732 goto exit;
733 }
734
735 goto err;
736 }
737
738 update_state(qp, wqe, &pkt, payload);
739
740 goto next_wqe;
741
742 err:
743 kfree_skb(skb);
^^^
Double free here.
744 wqe->status = IB_WC_LOC_PROT_ERR;
745 wqe->state = wqe_state_error;
746 __rxe_do_task(&qp->comp.task);
747
748 exit:
749 rxe_drop_ref(qp);
regards,
dan carpenter
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
