Dan, Thanks for notification. Will take a look. Regards, Quinn Tran -----Original Message----- From: Dan Carpenter <dan.carpenter@xxxxxxxxxx> Sent: Wednesday, January 20, 2021 2:58 AM To: Quinn Tran <qutran@xxxxxxxxxxx> Cc: linux-scsi@xxxxxxxxxxxxxxx Subject: [EXT] [bug report] scsi: qla2xxx: Fix SRB leak on switch command timeout External Email ---------------------------------------------------------------------- Hello Quinn Tran, The patch af2a0c51b120: "scsi: qla2xxx: Fix SRB leak on switch command timeout" from Nov 5, 2019, leads to the following static checker warning: drivers/scsi/qla2xxx/qla_os.c:1032 qla2xxx_mqueuecommand() error: dereferencing freed memory 'sp' drivers/scsi/qla2xxx/qla_os.c 1020 1021 return 0; 1022 1023 qc24_host_busy_free_sp: 1024 sp->free(sp); 1025 1026 qc24_target_busy: 1027 return SCSI_MLQUEUE_TARGET_BUSY; 1028 1029 qc24_free_sp_fail_command: 1030 sp->free(sp); 1031 CMD_SP(cmd) = NULL; 1032 qla2xxx_rel_qpair_sp(sp->qpair, sp); This seems like potentially a false positive but the code is weird. In this case we know that ->free is qla2xxx_qpair_sp_free_dma(). Smatch isn't making that connection and it complains that half the free functions call qla2xxx_rel_qpair_sp() and half don't. These three free "sp" qla2x00_sp_free() qla2x00_els_dcmd_sp_free() qla2x00_bsg_sp_free() The free functions which don't free "sp" are: qla2x00_sp_free_dma() qla2xxx_qpair_sp_free_dma() qla2xxx_rel_free_warning() 1033 1034 qc24_fail_command: 1035 cmd->scsi_done(cmd); 1036 1037 return 0; 1038 } regards, dan carpenter
