* [bug report] IB/hns: Fix the bug when destroy qp
@ 2017-02-07 9:26 Dan Carpenter
2017-02-07 10:32 ` Wei Hu (Xavier)
0 siblings, 1 reply; 2+ messages in thread
From: Dan Carpenter @ 2017-02-07 9:26 UTC (permalink / raw)
To: xavier.huwei-hv44wF8Li93QT0dZR+AlfA; +Cc: linux-rdma-u79uwXL29TY76Z2rM5mHXA
Hello Wei Hu (Xavier),
The patch d838c481e025: "IB/hns: Fix the bug when destroy qp" from
Nov 29, 2016, leads to the following static checker warning:
drivers/infiniband/hw/hns/hns_roce_hw_v1.c:3686 hns_roce_v1_destroy_qp_work_fn()
error: dereferencing freed memory 'hr_qp'
drivers/infiniband/hw/hns/hns_roce_hw_v1.c
3674 hns_roce_qp_remove(hr_dev, hr_qp);
3675 hns_roce_qp_free(hr_dev, hr_qp);
3676
3677 if (hr_qp->ibqp.qp_type == IB_QPT_RC) {
3678 /* RC QP, release QPN */
3679 hns_roce_release_range_qp(hr_dev, hr_qp->qpn, 1);
3680 kfree(hr_qp);
^^^^^
Free.
3681 } else
3682 kfree(hr_to_hr_sqp(hr_qp));
3683
3684 kfree(qp_work_entry);
3685
3686 dev_dbg(dev, "Accomplished destroy QP(0x%lx) work.\n", hr_qp->qpn);
^^^^^^^^^^
Use after free.
3687 }
regards,
dan carpenter
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [bug report] IB/hns: Fix the bug when destroy qp
2017-02-07 9:26 [bug report] IB/hns: Fix the bug when destroy qp Dan Carpenter
@ 2017-02-07 10:32 ` Wei Hu (Xavier)
0 siblings, 0 replies; 2+ messages in thread
From: Wei Hu (Xavier) @ 2017-02-07 10:32 UTC (permalink / raw)
To: Dan Carpenter; +Cc: linux-rdma-u79uwXL29TY76Z2rM5mHXA, oulijun
Hi, Dan Carpenter
Thanks for your comment.
We will fix it.
Thanks very much!
Regards
Wei Hu (Xavier)
On 2017/2/7 17:26, Dan Carpenter wrote:
> Hello Wei Hu (Xavier),
>
> The patch d838c481e025: "IB/hns: Fix the bug when destroy qp" from
> Nov 29, 2016, leads to the following static checker warning:
>
> drivers/infiniband/hw/hns/hns_roce_hw_v1.c:3686 hns_roce_v1_destroy_qp_work_fn()
> error: dereferencing freed memory 'hr_qp'
>
> drivers/infiniband/hw/hns/hns_roce_hw_v1.c
> 3674 hns_roce_qp_remove(hr_dev, hr_qp);
> 3675 hns_roce_qp_free(hr_dev, hr_qp);
> 3676
> 3677 if (hr_qp->ibqp.qp_type == IB_QPT_RC) {
> 3678 /* RC QP, release QPN */
> 3679 hns_roce_release_range_qp(hr_dev, hr_qp->qpn, 1);
> 3680 kfree(hr_qp);
> ^^^^^
> Free.
>
> 3681 } else
> 3682 kfree(hr_to_hr_sqp(hr_qp));
> 3683
> 3684 kfree(qp_work_entry);
> 3685
> 3686 dev_dbg(dev, "Accomplished destroy QP(0x%lx) work.\n", hr_qp->qpn);
> ^^^^^^^^^^
> Use after free.
>
> 3687 }
>
>
> regards,
> dan carpenter
>
> .
>
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-02-07 10:32 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-02-07 9:26 [bug report] IB/hns: Fix the bug when destroy qp Dan Carpenter
2017-02-07 10:32 ` Wei Hu (Xavier)
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox