From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Wei Hu (Xavier)" Subject: Re: [bug report] IB/hns: Fix the bug when destroy qp Date: Tue, 7 Feb 2017 18:32:18 +0800 Message-ID: <5899A232.9040000@huawei.com> References: <20170207092650.GA26924@mwanda> Mime-Version: 1.0 Content-Type: text/plain; charset="windows-1252"; format=flowed Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <20170207092650.GA26924@mwanda> Sender: linux-rdma-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org To: Dan Carpenter Cc: linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, oulijun List-Id: linux-rdma@vger.kernel.org Hi, Dan Carpenter Thanks for your comment. We will fix it. Thanks very much! Regards Wei Hu (Xavier) On 2017/2/7 17:26, Dan Carpenter wrote: > Hello Wei Hu (Xavier), > > The patch d838c481e025: "IB/hns: Fix the bug when destroy qp" from > Nov 29, 2016, leads to the following static checker warning: > > drivers/infiniband/hw/hns/hns_roce_hw_v1.c:3686 hns_roce_v1_destroy_qp_work_fn() > error: dereferencing freed memory 'hr_qp' > > drivers/infiniband/hw/hns/hns_roce_hw_v1.c > 3674 hns_roce_qp_remove(hr_dev, hr_qp); > 3675 hns_roce_qp_free(hr_dev, hr_qp); > 3676 > 3677 if (hr_qp->ibqp.qp_type == IB_QPT_RC) { > 3678 /* RC QP, release QPN */ > 3679 hns_roce_release_range_qp(hr_dev, hr_qp->qpn, 1); > 3680 kfree(hr_qp); > ^^^^^ > Free. > > 3681 } else > 3682 kfree(hr_to_hr_sqp(hr_qp)); > 3683 > 3684 kfree(qp_work_entry); > 3685 > 3686 dev_dbg(dev, "Accomplished destroy QP(0x%lx) work.\n", hr_qp->qpn); > ^^^^^^^^^^ > Use after free. > > 3687 } > > > regards, > dan carpenter > > . > -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org More majordomo info at http://vger.kernel.org/majordomo-info.html