Commit 742ae4ec authored by Changpeng Liu's avatar Changpeng Liu Committed by Tomasz Zawadzki
Browse files

nvmf/vfio-user: check SQ doorbell is valid or not before use 



According to the specification, we should also post an AER
error event for this error case.

Fix #2171.

Change-Id: Ifb2343453ea5e36ce244938a939537ee6ed1c4e1
Signed-off-by: default avatarChangpeng Liu <changpeng.liu@intel.com>
Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/9584


Community-CI: Broadcom CI <spdk-ci.pdl@broadcom.com>
Tested-by: default avatarSPDK CI Jenkins <sys_sgci@intel.com>
Reviewed-by: default avatarJim Harris <james.r.harris@intel.com>
Reviewed-by: default avatarAleksey Marchuk <alexeymar@mellanox.com>
parent 8a0fedf4

lib/nvmf/vfio_user.c

+13 −0
Original line number Diff line number Diff line
@@ -2767,6 +2767,19 @@ nvmf_vfio_user_qpair_poll(struct nvmf_vfio_user_qpair *qpair) 
	 */

	spdk_rmb();



	new_tail = new_tail & 0xffffu;

	if (spdk_unlikely(new_tail >= qpair->sq.size)) {

		union spdk_nvme_async_event_completion event = {};



		SPDK_DEBUGLOG(nvmf_vfio, "%s: invalid SQ%u doorbell value %u\n", ctrlr_id(ctrlr), qpair->qpair.qid,

			      new_tail);

		event.bits.async_event_type = SPDK_NVME_ASYNC_EVENT_TYPE_ERROR;

		event.bits.async_event_info = SPDK_NVME_ASYNC_EVENT_INVALID_DB_WRITE;

		nvmf_ctrlr_async_event_error_event(qpair->qpair.ctrlr, event);



		return 0;

	}



	if (sq_head(qpair) == new_tail) {

		return 0;

	}

test/unit/lib/nvmf/vfio_user.c/vfio_user_ut.c

+2 −0
Original line number Diff line number Diff line
@@ -51,6 +51,8 @@ DEFINE_STUB(spdk_nvmf_subsystem_get_nqn, const char *, 
	    (const struct spdk_nvmf_subsystem *subsystem), NULL);

DEFINE_STUB(spdk_bdev_get_block_size, uint32_t, (const struct spdk_bdev *bdev), 512);

DEFINE_STUB_V(nvmf_ctrlr_abort_aer, (struct spdk_nvmf_ctrlr *ctrlr));

DEFINE_STUB(nvmf_ctrlr_async_event_error_event, int, (struct spdk_nvmf_ctrlr *ctrlr,

		union spdk_nvme_async_event_completion event), 0);



static void *

gpa_to_vva(void *prv, uint64_t addr, uint64_t len, int prot)