NVMe: Protect against badly formatted CQEs
authorKeith Busch <keith.busch@intel.com>
Fri, 25 Apr 2014 00:53:50 +0000 (18:53 -0600)
committerMatthew Wilcox <matthew.r.wilcox@intel.com>
Mon, 5 May 2014 14:41:25 +0000 (10:41 -0400)
If a misbehaving device posts a CQE with a command id < depth but for
one that was never allocated, the command info will have a callback
function set to NULL and we don't want to try invoking that.

Signed-off-by: Keith Busch <keith.busch@intel.com>
Signed-off-by: Matthew Wilcox <matthew.r.wilcox@intel.com>
drivers/block/nvme-core.c

index 074e9829bb0830ba0b3c163090574d7e71ada875..b9f07f81ea5d7c12cb6da588968e325aec084351 100644 (file)
@@ -243,8 +243,9 @@ static void *free_cmdid(struct nvme_queue *nvmeq, int cmdid,
        void *ctx;
        struct nvme_cmd_info *info = nvme_cmd_info(nvmeq);
 
-       if (cmdid >= nvmeq->q_depth) {
-               *fn = special_completion;
+       if (cmdid >= nvmeq->q_depth || !info[cmdid].fn) {
+               if (fn)
+                       *fn = special_completion;
                return CMD_CTX_INVALID;
        }
        if (fn)