nbd: Fix scan build failure

This patch fixes the following scan build failure. nbd.c:697:6: warning: Use of memory after it is freed if (io->state == NBD_IO_XMIT_RESP) { ^~~~~~~~~ Change-Id: Icba8b509604b064bff36d6ef63ecf02617ad7666 Signed-off-by: Shuhei Matsumoto <shuhei.matsumoto.xt@hitachi.com> Reviewed-on: https://review.gerrithub.io/427366 Chandler-Test-Pool: SPDK Automated Test System <sys_sgsw@intel.com> Tested-by: SPDK CI Jenkins <sys_sgci@intel.com> Reviewed-by: Jim Harris <james.r.harris@intel.com> Reviewed-by: Ben Walker <benjamin.walker@intel.com>
2018-10-01 10:17:43 +09:00 · 2018-10-01 10:17:43 +09:00 · e1e9b05e9e
commit e1e9b05e9e
parent 317b9a5324
1 changed files with 10 additions and 2 deletions
--- a/lib/nbd/nbd.c
+++ b/lib/nbd/nbd.c
@ -649,12 +649,19 @@ spdk_nbd_io_xmit_internal(struct spdk_nbd_disk *nbd)
 		return 0;
 	}

+	/* Remove IO from list now assuming it will be completed.  It will be inserted
+	 *  back to the head if it cannot be completed.  This approach is specifically
+	 *  taken to work around a scan-build use-after-free mischaracterization.
+	 */
+	TAILQ_REMOVE(&nbd->executed_io_list, io, tailq);
+
 	/* resp error and handler are already set in io_done */

 	if (io->state == NBD_IO_XMIT_RESP) {
 		ret = write_to_socket(nbd->spdk_sp_fd, (char *)&io->resp + io->offset,
 				      sizeof(io->resp) - io->offset);
 		if (ret <= 0) {
+			TAILQ_INSERT_HEAD(&nbd->executed_io_list, io, tailq);
 			return ret;
 		}

@ -666,7 +673,6 @@ spdk_nbd_io_xmit_internal(struct spdk_nbd_disk *nbd)

 			/* transmit payload only when NBD_CMD_READ with no resp error */
 			if (from_be32(&io->req.type) != NBD_CMD_READ || io->resp.error != 0) {
-				TAILQ_REMOVE(&nbd->executed_io_list, io, tailq);
 				spdk_put_nbd_io(nbd, io);
 				return 0;
 			} else {
@ -678,6 +684,7 @@ spdk_nbd_io_xmit_internal(struct spdk_nbd_disk *nbd)
 	if (io->state == NBD_IO_XMIT_PAYLOAD) {
 		ret = write_to_socket(nbd->spdk_sp_fd, io->payload + io->offset, io->payload_size - io->offset);
 		if (ret <= 0) {
+			TAILQ_INSERT_HEAD(&nbd->executed_io_list, io, tailq);
 			return ret;
 		}

@ -685,11 +692,12 @@ spdk_nbd_io_xmit_internal(struct spdk_nbd_disk *nbd)

 		/* read payload is fully transmitted */
 		if (io->offset == io->payload_size) {
-			TAILQ_REMOVE(&nbd->executed_io_list, io, tailq);
 			spdk_put_nbd_io(nbd, io);
+			return 0;
 		}
 	}

+	TAILQ_INSERT_HEAD(&nbd->executed_io_list, io, tailq);
 	return 0;
 }