Commit 091aa2b6 authored by Changpeng Liu's avatar Changpeng Liu
Browse files

nvmf/vfio-user: fix potential overflow for qsize/MQES/NLB



The spec treats the sizes (MQES or qsize from create/delete
IO queue command) as a 0-based value of uint16_t, but vfio-user
treats them as 1-based value, so we need to use uint32_t to
make sure the value can't overflow.  The same for NLB(number of
logical blocks).

Change-Id: I7654b7e12234525c0fce78a713dd50097e9b3d58
Signed-off-by: default avatarChangpeng Liu <changpeng.liu@intel.com>
Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/9632


Tested-by: default avatarSPDK CI Jenkins <sys_sgci@intel.com>
Community-CI: Broadcom CI <spdk-ci.pdl@broadcom.com>
Community-CI: Mellanox Build Bot
Reviewed-by: default avatarBen Walker <benjamin.walker@intel.com>
Reviewed-by: default avatarJim Harris <james.r.harris@intel.com>
parent 318a3f0a
Loading
Loading
Loading
Loading
+11 −9
Original line number Diff line number Diff line
@@ -140,7 +140,7 @@ struct nvmf_vfio_user_qpair {
	struct spdk_nvmf_transport_poll_group	*group;
	struct nvmf_vfio_user_ctrlr		*ctrlr;
	struct nvmf_vfio_user_req		*reqs_internal;
	uint16_t				qsize;
	uint32_t				qsize;
	struct nvme_q				cq;
	struct nvme_q				sq;
	enum nvmf_vfio_user_qpair_state		state;
@@ -589,7 +589,7 @@ err:
	return NULL;
}

static uint16_t
static uint32_t
max_queue_size(struct nvmf_vfio_user_ctrlr const *ctrlr)
{
	assert(ctrlr != NULL);
@@ -1016,9 +1016,9 @@ free_qp(struct nvmf_vfio_user_ctrlr *ctrlr, uint16_t qid)
/* This function can only fail because of memory allocation errors. */
static int
init_qp(struct nvmf_vfio_user_ctrlr *ctrlr, struct spdk_nvmf_transport *transport,
	const uint16_t qsize, const uint16_t id)
	const uint32_t qsize, const uint16_t id)
{
	uint16_t i;
	uint32_t i;
	struct nvmf_vfio_user_qpair *qpair;
	struct nvmf_vfio_user_req *vu_req, *tmp;
	struct spdk_nvmf_request *req;
@@ -1094,7 +1094,8 @@ static int
handle_create_io_q(struct nvmf_vfio_user_ctrlr *ctrlr,
		   struct spdk_nvme_cmd *cmd, const bool is_cq)
{
	uint16_t qid, qsize;
	uint16_t qid;
	uint32_t qsize;
	uint16_t sc = SPDK_NVME_SC_SUCCESS;
	uint16_t sct = SPDK_NVME_SCT_GENERIC;
	int err = 0;
@@ -1123,7 +1124,7 @@ handle_create_io_q(struct nvmf_vfio_user_ctrlr *ctrlr,

	qsize = cmd->cdw10_bits.create_io_q.qsize + 1;
	if (qsize > max_queue_size(ctrlr)) {
		SPDK_ERRLOG("%s: queue too big, want=%d, max=%d\n", ctrlr_id(ctrlr),
		SPDK_ERRLOG("%s: queue too big, want=%u, max=%u\n", ctrlr_id(ctrlr),
			    qsize, max_queue_size(ctrlr));
		sct = SPDK_NVME_SCT_COMMAND_SPECIFIC;
		sc = SPDK_NVME_SC_INVALID_QUEUE_SIZE;
@@ -2580,8 +2581,8 @@ get_nvmf_req(struct nvmf_vfio_user_qpair *qpair)
static int
get_nvmf_io_req_length(struct spdk_nvmf_request *req)
{
	uint16_t nlb, nr;
	uint32_t nsid;
	uint16_t nr;
	uint32_t nlb, nsid;
	struct spdk_nvme_cmd *cmd = &req->cmd->nvme_cmd;
	struct spdk_nvmf_ctrlr *ctrlr = req->qpair->ctrlr;
	struct spdk_nvmf_ns *ns;
@@ -2882,7 +2883,8 @@ nvmf_vfio_user_qpair_abort_request(struct spdk_nvmf_qpair *qpair,
{
	struct nvmf_vfio_user_qpair *vu_qpair;
	struct nvmf_vfio_user_req *vu_req, *vu_req_to_abort = NULL;
	uint16_t i, cid;
	uint32_t i;
	uint16_t cid;

	vu_qpair = SPDK_CONTAINEROF(qpair, struct nvmf_vfio_user_qpair, qpair);