Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 29 Sep 2021 03:24:25 GMT
From:      Warner Losh <imp@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
Subject:   git: 36a87d0c6fe9 - main - nvme: Sanity check completion id
Message-ID:  <202109290324.18T3OPwf075607@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch main has been updated by imp:

URL: https://cgit.FreeBSD.org/src/commit/?id=36a87d0c6fe9d65de23f177ef84000b205f87e39

commit 36a87d0c6fe9d65de23f177ef84000b205f87e39
Author:     Warner Losh <imp@FreeBSD.org>
AuthorDate: 2021-09-29 03:21:50 +0000
Commit:     Warner Losh <imp@FreeBSD.org>
CommitDate: 2021-09-29 03:21:50 +0000

    nvme: Sanity check completion id
    
    Make sure the completion ID is in the range of [0..num_trackers) since
    the values past the end of the act_tr array are never going to be valid
    trackers and will lead to pain and suffering if we try to dereference
    them to get the tracker or to set the tracker back to NULL as we
    complete the I/O.
    
    Sponsored by:           Netflix
    Reviewed by:            mav, chs, chuck
    Differential Revision:  https://reviews.freebsd.org/D32088
---
 sys/dev/nvme/nvme_qpair.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/sys/dev/nvme/nvme_qpair.c b/sys/dev/nvme/nvme_qpair.c
index 788322092f88..8041731099df 100644
--- a/sys/dev/nvme/nvme_qpair.c
+++ b/sys/dev/nvme/nvme_qpair.c
@@ -624,7 +624,10 @@ nvme_qpair_process_completions(struct nvme_qpair *qpair)
 		    NVME_STATUS_GET_P(status) == NVME_STATUS_GET_P(cpl.status),
 		    ("Phase unexpectedly inconsistent"));
 
-		tr = qpair->act_tr[cpl.cid];
+		if (cpl.cid < qpair->num_trackers)
+			tr = qpair->act_tr[cpl.cid];
+		else
+			tr = NULL;
 
 		if (tr != NULL) {
 			nvme_qpair_complete_tracker(tr, &cpl, ERROR_PRINT_ALL);
@@ -644,7 +647,8 @@ nvme_qpair_process_completions(struct nvme_qpair *qpair)
 			 * ignore this condition because it's not unexpected.
 			 */
 			nvme_printf(qpair->ctrlr,
-			    "cpl does not map to outstanding cmd\n");
+			    "cpl (cid = %u) does not map to outstanding cmd\n",
+				cpl.cid);
 			/* nvme_dump_completion expects device endianess */
 			nvme_dump_completion(&qpair->cpl[qpair->cq_head]);
 			KASSERT(0, ("received completion for unknown cmd"));

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202109290324.18T3OPwf075607>