From: Leon Romanovsky <leon@kernel.org>
To: Robin Murphy <robin.murphy@arm.com>
Cc: Christoph Hellwig <hch@lst.de>,
Pradeep P V K <pradeep.pragallapati@oss.qualcomm.com>,
kbusch@kernel.org, axboe@kernel.dk, sagi@grimberg.me,
linux-nvme@lists.infradead.org, linux-kernel@vger.kernel.org,
nitin.rawat@oss.qualcomm.com,
Marek Szyprowski <m.szyprowski@samsung.com>,
iommu@lists.linux.dev
Subject: Re: [PATCH V1] nvme-pci: Fix NULL pointer dereference in nvme_pci_prp_iter_next
Date: Mon, 2 Feb 2026 17:58:04 +0200 [thread overview]
Message-ID: <20260202155804.GN34749@unreal> (raw)
In-Reply-To: <dc34c246-d6ba-4c2e-8593-6fe32a616174@arm.com>
On Mon, Feb 02, 2026 at 03:16:50PM +0000, Robin Murphy wrote:
> On 2026-02-02 2:35 pm, Christoph Hellwig wrote:
> > On Mon, Feb 02, 2026 at 06:27:38PM +0530, Pradeep P V K wrote:
> > > Fix a NULL pointer dereference that occurs in nvme_pci_prp_iter_next()
> > > when SWIOTLB bounce buffering becomes active during runtime.
> > >
> > > The issue occurs when SWIOTLB activation changes the device's DMA
> > > mapping requirements at runtime,
> > >
> > > creating a mismatch between
> > > iod->dma_vecs allocation and access logic.
> > >
> > > The problem manifests when:
> > > 1. Device initially operates with dma_skip_sync=true
> > > (coherent DMA assumed)
> > > 2. First SWIOTLB mapping occurs due to DMA address limitations,
> > > memory encryption, or IOMMU bounce buffering requirements
> > > 3. SWIOTLB calls dma_reset_need_sync(), permanently setting
> > > dma_skip_sync=false
> > > 4. Subsequent I/Os now have dma_need_unmap()=true, requiring
> > > iod->dma_vecs
> >
> > I think this patch just papers over the bug. If dma_need_unmap
> > can't be trusted before the dma_map_* call, we've not saved
> > the unmap information and the unmap won't work properly.
>
> The dma_need_unmap() kerneldoc says:
>
> "This function must be called after all mappings that might
> need to be unmapped have been performed."
>
> Trying to infer anything from it beforehand is definitely a bug in the
> caller.
At least for HMM, dma_need_unmap() works as expected. HMM doesn't work
with SWIOTLB.
Thanks
next prev parent reply other threads:[~2026-02-02 16:04 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-02 12:57 [PATCH V1] nvme-pci: Fix NULL pointer dereference in nvme_pci_prp_iter_next Pradeep P V K
2026-02-02 14:35 ` Christoph Hellwig
2026-02-02 15:16 ` Robin Murphy
2026-02-02 15:58 ` Leon Romanovsky [this message]
2026-02-02 17:13 ` Keith Busch
2026-02-02 17:36 ` Christoph Hellwig
2026-02-02 18:59 ` Keith Busch
2026-02-03 5:27 ` Christoph Hellwig
2026-02-03 6:14 ` Keith Busch
2026-02-03 6:23 ` Christoph Hellwig
2026-02-03 14:05 ` Pradeep Pragallapati
2026-02-04 14:04 ` Pradeep Pragallapati
2026-02-04 14:27 ` Keith Busch
2026-02-03 9:42 ` Leon Romanovsky
2026-02-03 13:50 ` Robin Murphy
2026-02-03 17:41 ` Keith Busch
2026-02-02 17:39 ` Robin Murphy
2026-02-02 15:22 ` Leon Romanovsky
2026-02-02 15:26 ` Robin Murphy
2026-02-02 17:18 ` Keith Busch
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260202155804.GN34749@unreal \
--to=leon@kernel.org \
--cc=axboe@kernel.dk \
--cc=hch@lst.de \
--cc=iommu@lists.linux.dev \
--cc=kbusch@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-nvme@lists.infradead.org \
--cc=m.szyprowski@samsung.com \
--cc=nitin.rawat@oss.qualcomm.com \
--cc=pradeep.pragallapati@oss.qualcomm.com \
--cc=robin.murphy@arm.com \
--cc=sagi@grimberg.me \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.