[bug report] nbd: requeue command if the soecket is changed

[bug report] nbd: requeue command if the soecket is changed

[Dan Carpenter]

Hello Hou Pu,

This is a semi-automatic email about new static checker warnings.

The patch 2c272542baee: "nbd: requeue command if the soecket is
changed" from Feb 28, 2020, leads to the following Smatch complaint:

    drivers/block/nbd.c:437 nbd_xmit_timeout()
    error: we previously assumed 'config->socks' could be null (see line 410)

drivers/block/nbd.c
   409			 */
   410			if (config->socks) {
                            ^^^^^^^^^^^^^
Check for NULL.

   411				if (cmd->index < config->num_connections) {
   412					struct nbd_sock *nsock =
   413						config->socks[cmd->index];
   414					mutex_lock(&nsock->tx_lock);
   415					/* We can have multiple outstanding requests, so
   416					 * we don't want to mark the nsock dead if we've
   417					 * already reconnected with a new socket, so
   418					 * only mark it dead if its the same socket we
   419					 * were sent out on.
   420					 */
   421					if (cmd->cookie == nsock->cookie)
   422						nbd_mark_nsock_dead(nbd, nsock, 1);
   423					mutex_unlock(&nsock->tx_lock);
   424				}
   425				mutex_unlock(&cmd->lock);
   426				nbd_requeue_cmd(cmd);
   427				nbd_config_put(nbd);
   428				return BLK_EH_DONE;
   429			}
   430		}
   431	
   432		if (!nbd->tag_set.timeout) {
   433			/*
   434			 * Userspace sets timeout=0 to disable socket disconnection,
   435			 * so just warn and reset the timer.
   436			 */
   437			struct nbd_sock *nsock = config->socks[cmd->index];
                                                 ^^^^^^^^^^^^^
New unchecked dereference.

Also on the other path, we check that "cmd->index" is within bounds but
here we just assume that it is.

   438			cmd->retries++;
   439			dev_info(nbd_to_dev(nbd), "Possible stuck request %p: control (%s@%llu,%uB). Runtime %u seconds\n",

regards,
dan carpenter