Re: [PATCH V1] nvme-pci: Fix NULL pointer dereference in nvme_pci_prp_iter_next

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Leon Romanovsky <leon@kernel.org>
To: Christoph Hellwig <hch@lst.de>
Cc: Pradeep P V K <pradeep.pragallapati@oss.qualcomm.com>,
	kbusch@kernel.org, axboe@kernel.dk, sagi@grimberg.me,
	linux-nvme@lists.infradead.org, linux-kernel@vger.kernel.org,
	nitin.rawat@oss.qualcomm.com,
	Marek Szyprowski <m.szyprowski@samsung.com>,
	Robin Murphy <robin.murphy@arm.com>,
	iommu@lists.linux.dev
Subject: Re: [PATCH V1] nvme-pci: Fix NULL pointer dereference in nvme_pci_prp_iter_next
Date: Mon, 2 Feb 2026 17:22:52 +0200	[thread overview]
Message-ID: <20260202152252.GM34749@unreal> (raw)
In-Reply-To: <20260202143548.GA19313@lst.de>

On Mon, Feb 02, 2026 at 03:35:48PM +0100, Christoph Hellwig wrote:
> On Mon, Feb 02, 2026 at 06:27:38PM +0530, Pradeep P V K wrote:
> > Fix a NULL pointer dereference that occurs in nvme_pci_prp_iter_next()
> > when SWIOTLB bounce buffering becomes active during runtime.
> > 
> > The issue occurs when SWIOTLB activation changes the device's DMA
> > mapping requirements at runtime,
> >
> > creating a mismatch between
> > iod->dma_vecs allocation and access logic.
> > 
> > The problem manifests when:
> > 1. Device initially operates with dma_skip_sync=true
> >    (coherent DMA assumed)
> > 2. First SWIOTLB mapping occurs due to DMA address limitations,
> >    memory encryption, or IOMMU bounce buffering requirements
> > 3. SWIOTLB calls dma_reset_need_sync(), permanently setting
> >    dma_skip_sync=false
> > 4. Subsequent I/Os now have dma_need_unmap()=true, requiring
> >    iod->dma_vecs
> 
> I think this patch just papers over the bug.  

Agree

> If dma_need_unmap can't be trusted before the dma_map_* call, we've not saved
> the unmap information and the unmap won't work properly.
> 
> So we'll need to extend the core code to tell if a mapping
> will set dma_skip_sync=false before doing the mapping.

There are two paths that lead to SWIOTLB in dma_direct_map_phys().  
The first is is_swiotlb_force_bounce(dev), which dma_need_unmap() can  
easily evaluate. The second is more problematic, as it depends on  
dma_addr and size, neither of which is available in dma_need_unmap():

  102                 if (unlikely(!dma_capable(dev, dma_addr, size, true)) ||
  103                     dma_kmalloc_needs_bounce(dev, size, dir)) {
  104                         if (is_swiotlb_active(dev))

What about the following change?

diff --git a/kernel/dma/mapping.c b/kernel/dma/mapping.c
index 37163eb49f9f..1510b93a8791 100644
--- a/kernel/dma/mapping.c
+++ b/kernel/dma/mapping.c
@@ -461,6 +461,8 @@ bool dma_need_unmap(struct device *dev)
 {
        if (!dma_map_direct(dev, get_dma_ops(dev)))
                return true;
+       if (is_swiotlb_force_bounce(dev) || is_swiotlb_active(dev))
+               return true;
        if (!dev->dma_skip_sync)
                return true;
        return IS_ENABLED(CONFIG_DMA_API_DEBUG);

next prev parent reply	other threads:[~2026-02-02 15:23 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-02-02 12:57 [PATCH V1] nvme-pci: Fix NULL pointer dereference in nvme_pci_prp_iter_next Pradeep P V K
2026-02-02 14:35 ` Christoph Hellwig
2026-02-02 15:16   ` Robin Murphy
2026-02-02 15:58     ` Leon Romanovsky
2026-02-02 17:13     ` Keith Busch
2026-02-02 17:36       ` Christoph Hellwig
2026-02-02 18:59         ` Keith Busch
2026-02-03  5:27           ` Christoph Hellwig
2026-02-03  6:14             ` Keith Busch
2026-02-03  6:23               ` Christoph Hellwig
2026-02-03 14:05             ` Pradeep Pragallapati
2026-02-04 14:04               ` Pradeep Pragallapati
2026-02-04 14:27                 ` Keith Busch
2026-02-03  9:42           ` Leon Romanovsky
2026-02-03 13:50             ` Robin Murphy
2026-02-03 17:41               ` Keith Busch
2026-02-02 17:39       ` Robin Murphy
2026-02-02 15:22   ` Leon Romanovsky [this message]
2026-02-02 15:26     ` Robin Murphy
2026-02-02 17:18 ` Keith Busch

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:37163eb49f9 dfblob:1510b93a879 )
 OR (
bs:"Re: [PATCH V1] nvme-pci: Fix NULL pointer dereference in nvme_pci_prp_iter_next" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260202152252.GM34749@unreal \
    --to=leon@kernel.org \
    --cc=axboe@kernel.dk \
    --cc=hch@lst.de \
    --cc=iommu@lists.linux.dev \
    --cc=kbusch@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-nvme@lists.infradead.org \
    --cc=m.szyprowski@samsung.com \
    --cc=nitin.rawat@oss.qualcomm.com \
    --cc=pradeep.pragallapati@oss.qualcomm.com \
    --cc=robin.murphy@arm.com \
    --cc=sagi@grimberg.me \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.