Commit adaac541 authored Oct 10, 2025 by Aleksey Marchuk Committed by Tomasz Zawadzki Oct 17, 2025

bdev_nvme: Fix NULL ptr dereference found by scanbuild



Scanbuild:
bdev_nvme.c:9916:50: warning: Access to field 'tqh_first' results in a dereference of a null pointer [core.NullDereference]
 9916 |         next = prev != NULL ? TAILQ_NEXT(prev, tailq) : TAILQ_FIRST(&nbdev_ctrlr->ctrlrs);
      |                                                         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
spdk/include/spdk/queue_extras.h:315:27: note: expanded from macro 'TAILQ_FIRST'
  315 | #define TAILQ_FIRST(head)       ((head)->tqh_first)
      |                                 ^~~~~~~~~~~~~~~~~~~

Also add an assert that only one of 2 parameters is a valid pointer

Change-Id: Ib51aa0d9216b7aaf4a5e7ae27508149818b3bdd2
Signed-off-by: Aleksey Marchuk <alexeymar@nvidia.com>
Reviewed-on: https://review.spdk.io/c/spdk/spdk/+/26867


Community-CI: Mellanox Build Bot
Reviewed-by: Jacek Kalwas <jacek.kalwas@nutanix.com>
Tested-by: SPDK Automated Test System <spdkbot@gmail.com>
Reviewed-by: Shuhei Matsumoto <smatsumoto@nvidia.com>

parent d0323536

module/bdev/nvme/bdev_nvme.c

+8 −2

Original line number	Diff line number	Diff line
		@@ -9311,10 +9311,16 @@ nvme_io_path_is_current(struct nvme_io_path *io_path)
		static struct nvme_ctrlr *
		bdev_nvme_next_ctrlr_unsafe(struct nvme_bdev_ctrlr nbdev_ctrlr, struct nvme_ctrlr prev)
		{
		struct nvme_ctrlr *next;
		struct nvme_ctrlr *next = NULL;

		assert((!!nbdev_ctrlr) != (!!prev));

		/* Must be called under g_bdev_nvme_mutex */
		next = prev != NULL ? TAILQ_NEXT(prev, tailq) : TAILQ_FIRST(&nbdev_ctrlr->ctrlrs);
		if (prev) {
		next = TAILQ_NEXT(prev, tailq);
		} else if (nbdev_ctrlr) {
		next = TAILQ_FIRST(&nbdev_ctrlr->ctrlrs);
		}
		while (next != NULL) {
		/* ref can be 0 when the ctrlr was released, but hasn't been detached yet */
		pthread_mutex_lock(&next->mutex);