nvme: CQEs with command-specific error 0 are acceptable #965
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
STS_SUCCESS is represented by 0u16, but other command-specific error statuses may also be 0u16. `SYS_CREATE_IO_Q_INVAL_CQ` is also 0u16, returned when creating I/O submission queues. In NVMe 1.1 with multi-path support, path-specific error 0u16 indicates a nondescript "internal path error".
pfmooney
approved these changes
Oct 27, 2025
iximeow
added a commit
that referenced
this pull request
Oct 28, 2025
This tries doing a bunch of random operations against an NVMe device and checks the operations against a limited model of what the results of those operations should be. The initial stab at this is what caught #965, and it caught a bug in an intermediate state of #953 (which other phd tests did notice anyway). This fuzzing would probably be best with actual I/O operations mixed in, and I think that *should* be relatively straightforward to add from here., but as-is it's useful! This would probably be best phrased as a `cargo-fuzz` test to at least get coverage-guided fuzzing. Because of the statefulness of NVMe I think either way we'd want the model of expected device state and a pick-actions-then-run execution to further guide `cargo-fuzz` into useful parts of the device state. The initial approach at this allowed for device reset and migration at arbitrary times via a separate thread. When that required synchronizing the model of device state it was effectively interleaved with "guest" operations on the device, and in practice admin commands are serialized by the `NvmeCtrl` state lock anyway. It may be more interesting to revisit with concurrent I/O operations on submission/completion queues.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
STS_SUCCESS is represented by 0u16, but other command-specific error statuses may also be 0u16.
SYS_CREATE_IO_Q_INVAL_CQis also 0u16, returned when creating I/O submission queues. In NVMe 1.1 with multi-path support, path-specific error 0u16 indicates a nondescript "internal path error".i'd set out to the circumstances i described here by writing a very rudimentary fuzzer driving admin commands while another thread repeatedly resets the controller. this didn't work! my reasoning was pretty wrong:
NvmeCtrlis already under a mutex inPciNvme, and the functions i'd conjectured were running concurrently both take&mut selfso they definitely are not. i did find this though.