* [bug report] [SCSI] lpfc 8.3.24: Extend BSG infrastructure and add link diagnostics
@ 2021-01-13 8:56 Dan Carpenter
2021-01-13 9:46 ` Dan Carpenter
0 siblings, 1 reply; 2+ messages in thread
From: Dan Carpenter @ 2021-01-13 8:56 UTC (permalink / raw)
To: james.smart; +Cc: linux-scsi
Hello James Smart,
The patch 7ad20aa9d39a: "[SCSI] lpfc 8.3.24: Extend BSG
infrastructure and add link diagnostics" from May 24, 2011, leads to
the following static checker warning:
drivers/scsi/lpfc/lpfc_bsg.c:4989 lpfc_bsg_issue_mbox()
warn: 'dmabuf' was already freed.
The problem is that lpfc_bsg_issue_mbox() call lpfc_bsg_handle_sli_cfg_ext()
which calls lpfc_bsg_handle_sli_cfg_ebuf() which is where the bug really
is, I think.
drivers/scsi/lpfc/lpfc_bsg.c
4584 static int
4585 lpfc_bsg_handle_sli_cfg_ebuf(struct lpfc_hba *phba, struct bsg_job *job,
4586 struct lpfc_dmabuf *dmabuf)
4587 {
4588 int rc;
4589
4590 lpfc_printf_log(phba, KERN_INFO, LOG_LIBDFC,
4591 "2971 SLI_CONFIG buffer (type:x%x)\n",
4592 phba->mbox_ext_buf_ctx.mboxType);
4593
4594 if (phba->mbox_ext_buf_ctx.mboxType == mbox_rd) {
4595 if (phba->mbox_ext_buf_ctx.state != LPFC_BSG_MBOX_DONE) {
4596 lpfc_printf_log(phba, KERN_ERR, LOG_LIBDFC,
4597 "2972 SLI_CONFIG rd buffer state "
4598 "mismatch:x%x\n",
4599 phba->mbox_ext_buf_ctx.state);
4600 lpfc_bsg_mbox_ext_abort(phba);
4601 return -EPIPE;
4602 }
4603 rc = lpfc_bsg_read_ebuf_get(phba, job);
4604 if (rc == SLI_CONFIG_HANDLED)
4605 lpfc_bsg_dma_page_free(phba, dmabuf);
I think this path is correct.
4606 } else { /* phba->mbox_ext_buf_ctx.mboxType == mbox_wr */
4607 if (phba->mbox_ext_buf_ctx.state != LPFC_BSG_MBOX_HOST) {
4608 lpfc_printf_log(phba, KERN_ERR, LOG_LIBDFC,
4609 "2973 SLI_CONFIG wr buffer state "
4610 "mismatch:x%x\n",
4611 phba->mbox_ext_buf_ctx.state);
4612 lpfc_bsg_mbox_ext_abort(phba);
4613 return -EPIPE;
4614 }
4615 rc = lpfc_bsg_write_ebuf_set(phba, job, dmabuf);
But this path has two bugs. If lpfc_bsg_write_ebuf_set() then it frees
three things but it should not free anything. This leads to the double
free bug which Smatch is complaining about. (Smatch only catches one of
the problems). The second bug is that if lpfc_bsg_write_ebuf_set()
return SLI_CONFIG_HANDLED then this patch should call
lpfc_bsg_dma_page_free(phba, dmabuf);
4616 }
4617 return rc;
4618 }
regards,
dan carpenter
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [bug report] [SCSI] lpfc 8.3.24: Extend BSG infrastructure and add link diagnostics
2021-01-13 8:56 [bug report] [SCSI] lpfc 8.3.24: Extend BSG infrastructure and add link diagnostics Dan Carpenter
@ 2021-01-13 9:46 ` Dan Carpenter
0 siblings, 0 replies; 2+ messages in thread
From: Dan Carpenter @ 2021-01-13 9:46 UTC (permalink / raw)
To: james.smart; +Cc: linux-scsi
On Wed, Jan 13, 2021 at 11:56:06AM +0300, Dan Carpenter wrote:
> Hello James Smart,
>
> The patch 7ad20aa9d39a: "[SCSI] lpfc 8.3.24: Extend BSG
> infrastructure and add link diagnostics" from May 24, 2011, leads to
> the following static checker warning:
>
> drivers/scsi/lpfc/lpfc_bsg.c:4989 lpfc_bsg_issue_mbox()
> warn: 'dmabuf' was already freed.
>
> The problem is that lpfc_bsg_issue_mbox() call lpfc_bsg_handle_sli_cfg_ext()
> which calls lpfc_bsg_handle_sli_cfg_ebuf() which is where the bug really
> is, I think.
>
> drivers/scsi/lpfc/lpfc_bsg.c
> 4584 static int
> 4585 lpfc_bsg_handle_sli_cfg_ebuf(struct lpfc_hba *phba, struct bsg_job *job,
> 4586 struct lpfc_dmabuf *dmabuf)
> 4587 {
> 4588 int rc;
> 4589
> 4590 lpfc_printf_log(phba, KERN_INFO, LOG_LIBDFC,
> 4591 "2971 SLI_CONFIG buffer (type:x%x)\n",
> 4592 phba->mbox_ext_buf_ctx.mboxType);
> 4593
> 4594 if (phba->mbox_ext_buf_ctx.mboxType == mbox_rd) {
> 4595 if (phba->mbox_ext_buf_ctx.state != LPFC_BSG_MBOX_DONE) {
> 4596 lpfc_printf_log(phba, KERN_ERR, LOG_LIBDFC,
> 4597 "2972 SLI_CONFIG rd buffer state "
> 4598 "mismatch:x%x\n",
> 4599 phba->mbox_ext_buf_ctx.state);
> 4600 lpfc_bsg_mbox_ext_abort(phba);
> 4601 return -EPIPE;
> 4602 }
> 4603 rc = lpfc_bsg_read_ebuf_get(phba, job);
> 4604 if (rc == SLI_CONFIG_HANDLED)
> 4605 lpfc_bsg_dma_page_free(phba, dmabuf);
>
> I think this path is correct.
>
> 4606 } else { /* phba->mbox_ext_buf_ctx.mboxType == mbox_wr */
> 4607 if (phba->mbox_ext_buf_ctx.state != LPFC_BSG_MBOX_HOST) {
> 4608 lpfc_printf_log(phba, KERN_ERR, LOG_LIBDFC,
> 4609 "2973 SLI_CONFIG wr buffer state "
> 4610 "mismatch:x%x\n",
> 4611 phba->mbox_ext_buf_ctx.state);
> 4612 lpfc_bsg_mbox_ext_abort(phba);
> 4613 return -EPIPE;
> 4614 }
> 4615 rc = lpfc_bsg_write_ebuf_set(phba, job, dmabuf);
>
> But this path has two bugs. If lpfc_bsg_write_ebuf_set() then it frees
> three things but it should not free anything. This leads to the double
> free bug which Smatch is complaining about. (Smatch only catches one of
> the problems).
Actually the other two are local variables so freeing them was correct.
But I've added the mempool_free() to Smatch as a free function since it
wasn't tracking that before.
regards,
dan carpenter
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-01-13 9:55 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-01-13 8:56 [bug report] [SCSI] lpfc 8.3.24: Extend BSG infrastructure and add link diagnostics Dan Carpenter
2021-01-13 9:46 ` Dan Carpenter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox