All of lore.kernel.org
 help / color / mirror / Atom feed
From: Dan Carpenter <error27@gmail.com>
To: faisal.latif@intel.com
Cc: linux-rdma@vger.kernel.org
Subject: [bug report] iwpm: crash fix for large connections test
Date: Tue, 15 Nov 2022 16:17:32 +0300	[thread overview]
Message-ID: <Y3ORbHXv5M8X8kqN@kili> (raw)

[ This isn't really the correct patch to blame.  Sorry! -dan ]

Hello Faisal Latif,

The patch dafb5587178a: "iwpm: crash fix for large connections test"
from Feb 26, 2016, leads to the following Smatch static checker
warning:

drivers/infiniband/core/iwpm_msg.c:437 iwpm_register_pid_cb() warn: 'nlmsg_request' was already freed.
drivers/infiniband/core/iwpm_msg.c:509 iwpm_add_mapping_cb() warn: 'nlmsg_request' was already freed.
drivers/infiniband/core/iwpm_msg.c:607 iwpm_add_and_query_mapping_cb() warn: 'nlmsg_request' was already freed.
drivers/infiniband/core/iwpm_msg.c:806 iwpm_mapping_error_cb() warn: 'nlmsg_request' was already freed.

drivers/infiniband/core/iwpm_msg.c
    385 int iwpm_register_pid_cb(struct sk_buff *skb, struct netlink_callback *cb)
    386 {
    387         struct iwpm_nlmsg_request *nlmsg_request = NULL;
    388         struct nlattr *nltb[IWPM_NLA_RREG_PID_MAX];
    389         struct iwpm_dev_data *pm_msg;
    390         char *dev_name, *iwpm_name;
    391         u32 msg_seq;
    392         u8 nl_client;
    393         u16 iwpm_version;
    394         const char *msg_type = "Register Pid response";
    395 
    396         if (iwpm_parse_nlmsg(cb, IWPM_NLA_RREG_PID_MAX,
    397                                 resp_reg_policy, nltb, msg_type))
    398                 return -EINVAL;
    399 
    400         msg_seq = nla_get_u32(nltb[IWPM_NLA_RREG_PID_SEQ]);
    401         nlmsg_request = iwpm_find_nlmsg_request(msg_seq);
    402         if (!nlmsg_request) {
    403                 pr_info("%s: Could not find a matching request (seq = %u)\n",
    404                                  __func__, msg_seq);
    405                 return -EINVAL;
    406         }
    407         pm_msg = nlmsg_request->req_buffer;
    408         nl_client = nlmsg_request->nl_client;
    409         dev_name = (char *)nla_data(nltb[IWPM_NLA_RREG_IBDEV_NAME]);
    410         iwpm_name = (char *)nla_data(nltb[IWPM_NLA_RREG_ULIB_NAME]);
    411         iwpm_version = nla_get_u16(nltb[IWPM_NLA_RREG_ULIB_VER]);
    412 
    413         /* check device name, ulib name and version */
    414         if (strcmp(pm_msg->dev_name, dev_name) ||
    415                         strcmp(iwpm_ulib_name, iwpm_name) ||
    416                         iwpm_version < IWPM_UABI_VERSION_MIN) {
    417 
    418                 pr_info("%s: Incorrect info (dev = %s name = %s version = %u)\n",
    419                                 __func__, dev_name, iwpm_name, iwpm_version);
    420                 nlmsg_request->err_code = IWPM_USER_LIB_INFO_ERR;
    421                 goto register_pid_response_exit;
    422         }
    423         iwpm_user_pid = cb->nlh->nlmsg_pid;
    424         iwpm_ulib_version = iwpm_version;
    425         if (iwpm_ulib_version < IWPM_UABI_VERSION)
    426                 pr_warn_once("%s: Down level iwpmd/pid %d.  Continuing...",
    427                         __func__, iwpm_user_pid);
    428         atomic_set(&echo_nlmsg_seq, cb->nlh->nlmsg_seq);
    429         pr_debug("%s: iWarp Port Mapper (pid = %d) is available!\n",
    430                         __func__, iwpm_user_pid);
    431         iwpm_set_registration(nl_client, IWPM_REG_VALID);
    432 register_pid_response_exit:
    433         nlmsg_request->request_done = 1;
    434         /* always for found nlmsg_request */
    435         kref_put(&nlmsg_request->kref, iwpm_free_nlmsg_request);

The iwpm_free_nlmsg_request() function will free "nlmsg_request"...
It's not clear what the "/* always for found nlmsg_request */" comment
means.  Maybe it means that the refcount won't drop to zero so the
free function won't be called?

    436         barrier();
--> 437         up(&nlmsg_request->sem);
                    ^^^^^^^^^^^^^
Dereference.

    438         return 0;
    439 }

regards,
dan carpenter

             reply	other threads:[~2022-11-15 13:17 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-11-15 13:17 Dan Carpenter [this message]
2022-11-17  9:24 ` [bug report] iwpm: crash fix for large connections test Leon Romanovsky
2022-11-18 20:44   ` Ismail, Mustafa
2022-11-19  7:31     ` Dan Carpenter
2022-11-28  7:34     ` Dan Carpenter
2023-01-20 11:13       ` Greg Kroah-Hartman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Y3ORbHXv5M8X8kqN@kili \
    --to=error27@gmail.com \
    --cc=faisal.latif@intel.com \
    --cc=linux-rdma@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.