Hi RDMA devs, I get the following ancient static checker warning:
net/rds/rdma_transport.c:145 rds_rdma_cm_event_handler_cmn()
warn: 'conn' was already freed.
net/rds/rdma_transport.c
104 case RDMA_CM_EVENT_ESTABLISHED:
105 trans->cm_connect_complete(conn, event);
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
rds_ib_cm_connect_complete() frees "conn" if the protocol version is too
old. Smatch says that this is the only caller so no good can come from
freeing it. Hopefully, it's checked somewhere else and we can just
delete the check in rds_ib_cm_connect_complete().
106 break;
107
108 case RDMA_CM_EVENT_REJECTED:
109 rdsdebug("Connection rejected: %s\n",
110 rdma_reject_msg(cm_id, event->status));
111 /* FALLTHROUGH */
112 case RDMA_CM_EVENT_ADDR_ERROR:
113 case RDMA_CM_EVENT_ROUTE_ERROR:
114 case RDMA_CM_EVENT_CONNECT_ERROR:
115 case RDMA_CM_EVENT_UNREACHABLE:
116 case RDMA_CM_EVENT_DEVICE_REMOVAL:
117 case RDMA_CM_EVENT_ADDR_CHANGE:
118 if (conn)
119 rds_conn_drop(conn);
120 break;
121
122 case RDMA_CM_EVENT_DISCONNECTED:
123 rdsdebug("DISCONNECT event - dropping connection "
124 "%pI6c->%pI6c\n", &conn->c_laddr,
125 &conn->c_faddr);
126 rds_conn_drop(conn);
127 break;
128
129 case RDMA_CM_EVENT_TIMEWAIT_EXIT:
130 if (conn) {
131 pr_info("RDS: RDMA_CM_EVENT_TIMEWAIT_EXIT event: dropping connection %pI6c->%pI6c\n",
132 &conn->c_laddr, &conn->c_faddr);
133 rds_conn_drop(conn);
134 }
135 break;
136
137 default:
138 /* things like device disconnect? */
139 printk(KERN_ERR "RDS: unknown event %u (%s)!\n",
140 event->event, rdma_event_msg(event->event));
141 break;
142 }
143
144 out:
145 if (conn)
146 mutex_unlock(&conn->c_cm_lock);
^^^^^^^^^^^^^^^
Use after free.
regards,
dan carpenter
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
