Hello James Smart,
The patch 4430f7fd09ec: "scsi: lpfc: Rework locations of ndlp
reference taking" from Nov 15, 2020, leads to the following Smatch
static checker warning:
drivers/scsi/lpfc/lpfc_els.c:5221 lpfc_cmpl_els_logo_acc()
warn: 'ndlp' was already freed.
drivers/scsi/lpfc/lpfc_els.c
5162 static void
5163 lpfc_cmpl_els_logo_acc(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb,
5164 struct lpfc_iocbq *rspiocb)
5165 {
5166 struct lpfc_nodelist *ndlp = cmdiocb->ndlp;
5167 struct lpfc_vport *vport = cmdiocb->vport;
5168 u32 ulp_status, ulp_word4;
5169
5170 ulp_status = get_job_ulpstatus(phba, rspiocb);
5171 ulp_word4 = get_job_word4(phba, rspiocb);
5172
5173 lpfc_debugfs_disc_trc(vport, LPFC_DISC_TRC_ELS_RSP,
5174 "ACC LOGO cmpl: status:x%x/x%x did:x%x",
5175 ulp_status, ulp_word4, ndlp->nlp_DID);
5176 /* ACC to LOGO completes to NPort <nlp_DID> */
5177 lpfc_printf_vlog(vport, KERN_INFO, LOG_ELS,
5178 "0109 ACC to LOGO completes to NPort x%x refcnt %d "
5179 "Data: x%x x%x x%x\n",
5180 ndlp->nlp_DID, kref_read(&ndlp->kref), ndlp->nlp_flag,
5181 ndlp->nlp_state, ndlp->nlp_rpi);
5182
5183 /* This clause allows the LOGO ACC to complete and free resources
5184 * for the Fabric Domain Controller. It does deliberately skip
5185 * the unreg_rpi and release rpi because some fabrics send RDP
5186 * requests after logging out from the initiator.
5187 */
5188 if (ndlp->nlp_type & NLP_FABRIC &&
5189 ((ndlp->nlp_DID & WELL_KNOWN_DID_MASK) != WELL_KNOWN_DID_MASK))
5190 goto out;
5191
5192 if (ndlp->nlp_state == NLP_STE_NPR_NODE) {
5193 /* If PLOGI is being retried, PLOGI completion will cleanup the
5194 * node. The NLP_NPR_2B_DISC flag needs to be retained to make
5195 * progress on nodes discovered from last RSCN.
5196 */
5197 if ((ndlp->nlp_flag & NLP_DELAY_TMO) &&
5198 (ndlp->nlp_last_elscmd == ELS_CMD_PLOGI))
5199 goto out;
5200
5201 /* NPort Recovery mode or node is just allocated */
5202 if (!lpfc_nlp_not_used(ndlp)) {
^^^^
lpfc_nlp_not_used() is a nightmare function from 2007 that frees ndlp if
it's holding the last reference.
5203 /* A LOGO is completing and the node is in NPR state.
5204 * Just unregister the RPI because the node is still
5205 * required.
5206 */
5207 lpfc_unreg_rpi(vport, ndlp);
5208 } else {
5209 /* Indicate the node has already released, should
^^^^^^^^^^^^^^^^^^^^^^^^^
Node already released on this path.
5210 * not reference to it from within lpfc_els_free_iocb.
5211 */
5212 cmdiocb->ndlp = NULL;
5213 }
5214 }
5215 out:
5216 /*
5217 * The driver received a LOGO from the rport and has ACK'd it.
5218 * At this point, the driver is done so release the IOCB
5219 */
5220 lpfc_els_free_iocb(phba, cmdiocb);
--> 5221 lpfc_nlp_put(ndlp);
^^^^
Double free.
5222 }
regards,
dan carpenter
