hw/block/nvme: fix queue identifer validation

author Gollu Appalanaidu <anaidu.gollu@samsung.com>

Thu, 22 Oct 2020 09:07:08 +0000 (14:37 +0530)

committer Klaus Jensen <k.jensen@samsung.com>

Tue, 27 Oct 2020 10:29:25 +0000 (11:29 +0100)
author Gollu Appalanaidu <anaidu.gollu@samsung.com>
Thu, 22 Oct 2020 09:07:08 +0000 (14:37 +0530)
committer Klaus Jensen <k.jensen@samsung.com>
Tue, 27 Oct 2020 10:29:25 +0000 (11:29 +0100)
diff --git a/hw/block/nvme.c b/hw/block/nvme.c

index 5dfef0204c2c286abdcca0c241418ef29c00b286..fa2cba744b57cba94d7a7803496dc0746f18e8e8 100644 (file)
--- a/hw/block/nvme.c
+++ b/hw/block/nvme.c
@@ -1143,7 +1143,8 @@ static uint16_t nvme_create_sq(NvmeCtrl *n, NvmeRequest *req)
          trace_pci_nvme_err_invalid_create_sq_cqid(cqid);
          return NVME_INVALID_CQID | NVME_DNR;
      }
-    if (unlikely(!sqid || !nvme_check_sqid(n, sqid))) {
+    if (unlikely(!sqid || sqid > n->params.max_ioqpairs ||
+        n->sq[sqid] != NULL)) {
          trace_pci_nvme_err_invalid_create_sq_sqid(sqid);
          return NVME_INVALID_QID | NVME_DNR;
      }
@@ -1398,7 +1399,8 @@ static uint16_t nvme_create_cq(NvmeCtrl *n, NvmeRequest *req)
      trace_pci_nvme_create_cq(prp1, cqid, vector, qsize, qflags,
                               NVME_CQ_FLAGS_IEN(qflags) != 0);
  
-    if (unlikely(!cqid || !nvme_check_cqid(n, cqid))) {
+    if (unlikely(!cqid || cqid > n->params.max_ioqpairs ||
+        n->cq[cqid] != NULL)) {
          trace_pci_nvme_err_invalid_create_cq_cqid(cqid);
          return NVME_INVALID_QID | NVME_DNR;
      }
author	Gollu Appalanaidu <anaidu.gollu@samsung.com>
	Thu, 22 Oct 2020 09:07:08 +0000 (14:37 +0530)
committer	Klaus Jensen <k.jensen@samsung.com>
	Tue, 27 Oct 2020 10:29:25 +0000 (11:29 +0100)