bhyve nvme: Fix out-of-bound IOV array access
NVMe operations indicate the memory region(s) associated with a command via physical region pages (PRPs). Since each PRP has a fixed size, contiguous memory regions larger than the PRP size require multiple PRP entries. Instead of issuing a blockif call for each PRP, the NVMe emulation concatenates multiple contiguous PRP entries into a single blockif request. The test for contiguous regions has a bug such that it mistakenly treats an initial address of zero as a contiguous range and concatenates it with the previous. But because there is no previous IOV, the concatenation code corrupts the IO request structure and leads to a segmentation fault when the blockif request completes. Fix is to test for the existence of a previous range before trying to concatenate the current range with the previous one.
No data to display