NVMe: Detect command IDs completing that are out of range

If the adapter completes a command ID that is outside the bounds of
the array, return CMD_CTX_INVALID instead of random data, and print a
message in the sync_completion handler (which is rapidly becoming the
misc completion handler :-)

Signed-off-by: Matthew Wilcox <matthew.r.wilcox@intel.com>

diff --git a/drivers/block/nvme.c b/drivers/block/nvme.c
index 2dd09e7e142d69bd785b42a6984157343f94a6a5..f4085d4fe0f211ce326e110cd94319a01e852521 100644 (file)
--- a/drivers/block/nvme.c
+++ b/drivers/block/nvme.c
@@ -170,12 +170,15 @@ enum {
 #define CMD_CTX_BASE           (POISON_POINTER_DELTA + sync_completion_id)
 #define CMD_CTX_CANCELLED      (0x2008 + CMD_CTX_BASE)
 #define CMD_CTX_COMPLETED      (0x2010 + CMD_CTX_BASE)
+#define CMD_CTX_INVALID                (0x2014 + CMD_CTX_BASE)
 
 static unsigned long free_cmdid(struct nvme_queue *nvmeq, int cmdid)
 {
        unsigned long data;
        unsigned offset = cmdid + BITS_TO_LONGS(nvmeq->q_depth);
 
+       if (cmdid > nvmeq->q_depth)
+               return CMD_CTX_INVALID;
        data = nvmeq->cmdid_data[offset];
        nvmeq->cmdid_data[offset] = CMD_CTX_COMPLETED;
        clear_bit(cmdid, nvmeq->cmdid_data);
@@ -411,6 +414,12 @@ static void sync_completion(struct nvme_queue *nvmeq, void *ctx,
                                cqe->command_id, le16_to_cpup(&cqe->sq_id));
                return;
        }
+       if (unlikely((unsigned long)cmdinfo == CMD_CTX_INVALID)) {
+               dev_warn(nvmeq->q_dmadev,
+                               "invalid id %d completed on queue %d\n",
+                               cqe->command_id, le16_to_cpup(&cqe->sq_id));
+               return;
+       }
        cmdinfo->result = le32_to_cpup(&cqe->result);
        cmdinfo->status = le16_to_cpup(&cqe->status) >> 1;
        wake_up_process(cmdinfo->task);