The command_id in CQE is writable by NVMe controller, driver should check its sanity before using it. - Tong
On Wed, Sep 16, 2020 at 12:54 PM Keith Busch <[email protected]> wrote: > > On Wed, Sep 16, 2020 at 11:36:49AM -0400, Tong Zhang wrote: > > @@ -960,6 +960,8 @@ static inline void nvme_handle_cqe(struct nvme_queue > > *nvmeq, u16 idx) > > } > > > > req = blk_mq_tag_to_rq(nvme_queue_tagset(nvmeq), cqe->command_id); > > + if (!req) > > + return; > > As I mentioned before, blk_mq_tag_to_rq() returns NULL if the tag > exceeds the depth. We already verify the tag prior to calling this > function, so what's the real root cause for how we're winding up with > NULL here? I'm only asking this because it sounds like there's a bug > somewhere else and this change is masking over it. > > > > trace_nvme_sq(req, cqe->sq_head, nvmeq->sq_tail); > > if (!nvme_try_complete_req(req, cqe->status, cqe->result)) > > nvme_pci_complete_rq(req);
