From 7961917493baedb0aafd41d88029ed610d0c433f Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Tue, 21 Aug 2018 10:00:53 -0500 Subject: nvme: fix I/O queue length calculation overflow Commit cd47172 changed the I/O queue length calculation to use the Maximum Queue Entries Supported (MQES) value from the capabilities register, plus one, with a maximum value of NVME_PAGE_SIZE. An unintended effect from this is that due to length being an unsigned 16-bit int, a MQES value of 0xFFFF yields a length of zero, resulting in the queue allocation failing. Fix this by changing length to a u32. TEST: build/boot on a Purism Librem13v2 with a MyDigitalSSD BPX NVMe drive, which reports a MQES of 0xFFFF. Verify NVMe drive present in boot menu and OS boots successfully. Signed-off-by: Matt DeVillier --- src/hw/nvme.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/hw/nvme.c b/src/hw/nvme.c index e6d739d9..2e3aa386 100644 --- a/src/hw/nvme.c +++ b/src/hw/nvme.c @@ -318,7 +318,7 @@ nvme_create_io_cq(struct nvme_ctrl *ctrl, struct nvme_cq *cq, u16 q_idx) { int rc; struct nvme_sqe *cmd_create_cq; - u16 length = 1 + (ctrl->reg->cap & 0xffff); + u32 length = 1 + (ctrl->reg->cap & 0xffff); if (length > NVME_PAGE_SIZE / sizeof(struct nvme_cqe)) length = NVME_PAGE_SIZE / sizeof(struct nvme_cqe); @@ -362,7 +362,7 @@ nvme_create_io_sq(struct nvme_ctrl *ctrl, struct nvme_sq *sq, u16 q_idx, struct { int rc; struct nvme_sqe *cmd_create_sq; - u16 length = 1 + (ctrl->reg->cap & 0xffff); + u32 length = 1 + (ctrl->reg->cap & 0xffff); if (length > NVME_PAGE_SIZE / sizeof(struct nvme_cqe)) length = NVME_PAGE_SIZE / sizeof(struct nvme_cqe); -- cgit