nvmf/vfio-user: check SQ doorbell is valid or not before use

According to the specification, we should also post an AER error event for this error case. Fix #2171. Change-Id: Ifb2343453ea5e36ce244938a939537ee6ed1c4e1 Signed-off-by: Changpeng Liu <changpeng.liu@intel.com> Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/9584 Community-CI: Broadcom CI <spdk-ci.pdl@broadcom.com> Tested-by: SPDK CI Jenkins <sys_sgci@intel.com> Reviewed-by: Jim Harris <james.r.harris@intel.com> Reviewed-by: Aleksey Marchuk <alexeymar@mellanox.com>
2021-09-23 16:23:44 +08:00 · 2021-09-23 16:23:44 +08:00 · 742ae4ec72
commit 742ae4ec72
parent 8a0fedf4e6
2 changed files with 15 additions and 0 deletions
--- a/lib/nvmf/vfio_user.c
+++ b/lib/nvmf/vfio_user.c
@ -2767,6 +2767,19 @@ nvmf_vfio_user_qpair_poll(struct nvmf_vfio_user_qpair *qpair)
 	 */
 	spdk_rmb();

+	new_tail = new_tail & 0xffffu;
+	if (spdk_unlikely(new_tail >= qpair->sq.size)) {
+		union spdk_nvme_async_event_completion event = {};
+
+		SPDK_DEBUGLOG(nvmf_vfio, "%s: invalid SQ%u doorbell value %u\n", ctrlr_id(ctrlr), qpair->qpair.qid,
+			      new_tail);
+		event.bits.async_event_type = SPDK_NVME_ASYNC_EVENT_TYPE_ERROR;
+		event.bits.async_event_info = SPDK_NVME_ASYNC_EVENT_INVALID_DB_WRITE;
+		nvmf_ctrlr_async_event_error_event(qpair->qpair.ctrlr, event);
+
+		return 0;
+	}
+
 	if (sq_head(qpair) == new_tail) {
 		return 0;
 	}
--- a/test/unit/lib/nvmf/vfio_user.c/vfio_user_ut.c
+++ b/test/unit/lib/nvmf/vfio_user.c/vfio_user_ut.c
@ -51,6 +51,8 @@ DEFINE_STUB(spdk_nvmf_subsystem_get_nqn, const char *,
 	    (const struct spdk_nvmf_subsystem *subsystem), NULL);
 DEFINE_STUB(spdk_bdev_get_block_size, uint32_t, (const struct spdk_bdev *bdev), 512);
 DEFINE_STUB_V(nvmf_ctrlr_abort_aer, (struct spdk_nvmf_ctrlr *ctrlr));
+DEFINE_STUB(nvmf_ctrlr_async_event_error_event, int, (struct spdk_nvmf_ctrlr *ctrlr,
+		union spdk_nvme_async_event_completion event), 0);

 static void *
 gpa_to_vva(void *prv, uint64_t addr, uint64_t len, int prot)