nvmf: pass bb and in-capsule data to prep_data

This fixes an oversight that allowed in-capsule data block SGLs to
potentially refer to more than the received in-capsule data size.

It also makes spdk_nvmf_request_prep_data() less dependent on the
RDMA-specific rx_desc/tx_desc structures.

Change-Id: I34d61aca4cf5ba033849673116d16ec90488dcd4
Signed-off-by: Daniel Verkamp <daniel.verkamp@intel.com>

lib/nvmf/conn.c

@@ -476,8 +476,7 @@ static int nvmf_recv(struct spdk_nvmf_conn *conn, struct ibv_wc *wc)
 		SPDK_ERRLOG("recv length less than capsule header\n");
 		goto recv_error;
 	}
-	rx_desc->recv_bc = wc->byte_len;
-	SPDK_TRACELOG(SPDK_TRACE_NVMF, "recv byte count %x\n", rx_desc->recv_bc);
+	SPDK_TRACELOG(SPDK_TRACE_NVMF, "recv byte count 0x%x\n", wc->byte_len);
 
 	/* get a response buffer */
 	if (STAILQ_EMPTY(&conn->rdma.qp_tx_desc)) {
@@ -499,7 +498,9 @@ static int nvmf_recv(struct spdk_nvmf_conn *conn, struct ibv_wc *wc)
 
 	nvmf_trace_command(cap_hdr, conn->type);
 
-	ret = spdk_nvmf_request_prep_data(req);
+	ret = spdk_nvmf_request_prep_data(req,
+					  rx_desc->bb, wc->byte_len - sizeof(*cap_hdr),
+					  rx_desc->bb, rx_desc->bb_sgl.length);
 	if (ret < 0) {
 		SPDK_ERRLOG("prep_data failed\n");
 		goto recv_error;

lib/nvmf/rdma.c

@@ -401,8 +401,6 @@ nvmf_post_rdma_recv(struct spdk_nvmf_conn *conn,
 	conn->sq_head < (conn->sq_depth - 1) ? (conn->sq_head++) : (conn->sq_head = 0);
 	SPDK_TRACELOG(SPDK_TRACE_DEBUG, "sq_head %x, sq_depth %x\n", conn->sq_head, conn->sq_depth);
 
-	rx_desc->recv_bc = 0; /* clear previous recv byte count */
-
 	wr.wr_id = (uintptr_t)rx_desc;
 	wr.next = NULL;
 	wr.sg_list = &rx_desc->recv_sgl;

lib/nvmf/rdma.h

@@ -67,7 +67,6 @@ struct nvme_qp_rx_desc {
 	struct ibv_mr		*bb_mr;
 	uint8_t			*bb;
 	uint32_t		bb_len;
-	uint32_t		recv_bc;
 	STAILQ_ENTRY(nvme_qp_rx_desc) link;
 };
 

lib/nvmf/request.c

@@ -654,10 +654,11 @@ nvmf_process_fabrics_command(struct nvmf_request *req)
 }
 
 int
-spdk_nvmf_request_prep_data(struct nvmf_request *req)
+spdk_nvmf_request_prep_data(struct nvmf_request *req,
+			    void *in_cap_data, uint32_t in_cap_len,
+			    void *bb, uint32_t bb_len)
 {
 	struct nvme_qp_tx_desc *tx_desc = req->tx_desc;
-	struct nvme_qp_rx_desc *rx_desc = req->rx_desc;
 	struct spdk_nvmf_conn *conn = tx_desc->conn;
 	struct spdk_nvme_cmd *cmd = &req->cmd->nvme_cmd;
 	enum spdk_nvme_data_transfer xfer;
@@ -678,20 +679,20 @@ spdk_nvmf_request_prep_data(struct nvmf_request *req)
 			SPDK_TRACELOG(SPDK_TRACE_RDMA, "Keyed data block: raddr 0x%" PRIx64 ", rkey 0x%x, length 0x%x\n",
 				      sgl->address, sgl->keyed.key, sgl->keyed.length);
 
-			if (sgl->keyed.length > rx_desc->bb_sgl.length) {
+			if (sgl->keyed.length > bb_len) {
 				SPDK_ERRLOG("SGL length 0x%x exceeds BB length 0x%x\n",
-					    sgl->keyed.length, rx_desc->bb_sgl.length);
+					    sgl->keyed.length, bb_len);
 				return -1;
 			}
 
-			req->data = rx_desc->bb;
+			req->data = bb;
 			req->remote_addr = sgl->address;
 			req->rkey = sgl->keyed.key;
 			req->length = sgl->keyed.length;
 		} else if (sgl->generic.type == SPDK_NVME_SGL_TYPE_DATA_BLOCK &&
 			   sgl->unkeyed.subtype == SPDK_NVME_SGL_SUBTYPE_OFFSET) {
 			uint64_t offset = sgl->address;
-			uint32_t max_len = rx_desc->bb_sgl.length;
+			uint32_t max_len = in_cap_len;
 
 			SPDK_TRACELOG(SPDK_TRACE_RDMA, "In-capsule data: offset 0x%" PRIx64 ", length 0x%x\n",
 				      offset, sgl->unkeyed.length);
@@ -714,7 +715,7 @@ spdk_nvmf_request_prep_data(struct nvmf_request *req)
 				return -1;
 			}
 
-			req->data = rx_desc->bb + offset;
+			req->data = in_cap_data + offset;
 			req->length = sgl->unkeyed.length;
 		} else {
 			SPDK_ERRLOG("Invalid NVMf I/O Command SGL:  Type 0x%x, Subtype 0x%x\n",

lib/nvmf/request.h

@@ -74,7 +74,9 @@ struct nvmf_request {
 };
 
 int
-spdk_nvmf_request_prep_data(struct nvmf_request *req);
+spdk_nvmf_request_prep_data(struct nvmf_request *req,
+			    void *in_cap_data, uint32_t in_cap_len,
+			    void *bb, uint32_t bb_len);
 
 int
 spdk_nvmf_request_exec(struct nvmf_request *req);