[PATCH v3 4/4] nvme: code command_id with a genctr for use-after-free validation
Daniel Wagner
dwagner at suse.de
Thu Jun 17 01:56:27 PDT 2021
On Wed, Jun 16, 2021 at 02:19:36PM -0700, Sagi Grimberg wrote:
> We cannot detect a (perhaps buggy) controller that is sending us
> a completion for a request that was already completed (for example
> sending a completion twice), this phenomenon was seen in the wild
> a few times.
>
> So to protect against this, we use the upper 4 msbits of the nvme sqe
> command_id to use as a 4-bit generation counter and verify it matches
> the existing request generation that is incrementing on every execution.
>
> The 16-bit command_id structure now is constructed by:
> | xxxx | xxxxxxxxxxxx |
> gen request tag
>
> This means that we are giving up some possible queue depth as 12 bits
> allow for a maximum queue depth of 4095 instead of 65536, however we
> never create such long queues anyways so no real harm done.
>
> Suggested-by: Keith Busch <kbusch at kernel.org>
> Reviewed-by: Hannes Reinecke <hare at suse.de>
> Acked-by: Keith Busch <kbusch at kernel.org>
> Signed-off-by: Sagi Grimberg <sagi at grimberg.me>
I've tested (only functional) this on FC (NetApp target). All looks
good.
Tested-by: Daniel Wagner <dwagner at suse.de>
Reviewed-by: Daniel Wagner <dwagner at suse.de>
More information about the Linux-nvme
mailing list