* Re: [PATCH rc] iommu/dma: Do not try to iommu_map a 0 length region in swiotlb
2026-06-08 18:10 ` [PATCH rc] iommu/dma: Do not try to iommu_map a 0 length region in swiotlb Jason Gunthorpe
@ 2026-06-09 8:36 ` Christoph Hellwig
2026-06-09 14:52 ` Leon Romanovsky
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Christoph Hellwig @ 2026-06-09 8:36 UTC (permalink / raw)
To: Jason Gunthorpe
Cc: iommu, Joerg Roedel (AMD), Robin Murphy, Will Deacon, Jens Axboe,
Christoph Hellwig, Leon Romanovsky, Marek Szyprowski,
Luis Chamberlain, Mark Lord, patches, stable
Looks good:
Reviewed-by: Christoph Hellwig <hch@lst.de>
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [PATCH rc] iommu/dma: Do not try to iommu_map a 0 length region in swiotlb
2026-06-08 18:10 ` [PATCH rc] iommu/dma: Do not try to iommu_map a 0 length region in swiotlb Jason Gunthorpe
2026-06-09 8:36 ` Christoph Hellwig
@ 2026-06-09 14:52 ` Leon Romanovsky
2026-06-09 17:03 ` Samiullah Khawaja
2026-06-09 20:26 ` Marek Szyprowski
3 siblings, 0 replies; 5+ messages in thread
From: Leon Romanovsky @ 2026-06-09 14:52 UTC (permalink / raw)
To: Jason Gunthorpe
Cc: iommu, Joerg Roedel (AMD), Robin Murphy, Will Deacon, Jens Axboe,
Christoph Hellwig, Marek Szyprowski, Luis Chamberlain, Mark Lord,
patches, stable
On Mon, Jun 08, 2026 at 03:10:04PM -0300, Jason Gunthorpe wrote:
> iommu_dma_iova_link_swiotlb() processes a mapping that is unaligned in three
> parts, the head, middle and trailer. If the middle is empty because there
> are no aligned pages it will call down to iommu_map() with a 0 size
> which the iommupt implementation will fail as illegal.
>
> It then tries to do an error unwind and starts from the wrong spot
> corrupting the mapping so the eventual destruction triggers a WARN_ON.
>
> Check for 0 length and avoid mapping and use offset not 0 as the starting
> point to unlink.
>
> This is frequently triggered by using some kinds of thunderbolt NVMe
> drives that trigger forced SWIOTLB for unaligned memory. NVMe seems to
> pass in oddly aligned buffers for the passthrough commands from smartctl
> that hit this condition.
>
> Cc: stable@vger.kernel.org
> Fixes: 433a76207dcf ("dma-mapping: Implement link/unlink ranges API")
> Reported-by: Mark Lord <mlord@pobox.com>
> Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
> ---
> drivers/iommu/dma-iommu.c | 19 +++++++++++++------
> 1 file changed, 13 insertions(+), 6 deletions(-)
>
> This was discovered because iommupt errors on mapping length=0 instead of
> making it a NOP, so it is an became an issue since commit d6c65b0fd621
> ("iommupt: Avoid rewalking during map") making it a regression this merge
> window.
>
Thanks,
Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [PATCH rc] iommu/dma: Do not try to iommu_map a 0 length region in swiotlb
2026-06-08 18:10 ` [PATCH rc] iommu/dma: Do not try to iommu_map a 0 length region in swiotlb Jason Gunthorpe
2026-06-09 8:36 ` Christoph Hellwig
2026-06-09 14:52 ` Leon Romanovsky
@ 2026-06-09 17:03 ` Samiullah Khawaja
2026-06-09 20:26 ` Marek Szyprowski
3 siblings, 0 replies; 5+ messages in thread
From: Samiullah Khawaja @ 2026-06-09 17:03 UTC (permalink / raw)
To: Jason Gunthorpe
Cc: iommu, Joerg Roedel (AMD), Robin Murphy, Will Deacon, Jens Axboe,
Christoph Hellwig, Leon Romanovsky, Marek Szyprowski,
Luis Chamberlain, Mark Lord, patches, stable
On Mon, Jun 08, 2026 at 03:10:04PM -0300, Jason Gunthorpe wrote:
>iommu_dma_iova_link_swiotlb() processes a mapping that is unaligned in three
>parts, the head, middle and trailer. If the middle is empty because there
>are no aligned pages it will call down to iommu_map() with a 0 size
>which the iommupt implementation will fail as illegal.
>
>It then tries to do an error unwind and starts from the wrong spot
>corrupting the mapping so the eventual destruction triggers a WARN_ON.
>
>Check for 0 length and avoid mapping and use offset not 0 as the starting
>point to unlink.
>
>This is frequently triggered by using some kinds of thunderbolt NVMe
>drives that trigger forced SWIOTLB for unaligned memory. NVMe seems to
>pass in oddly aligned buffers for the passthrough commands from smartctl
>that hit this condition.
>
>Cc: stable@vger.kernel.org
>Fixes: 433a76207dcf ("dma-mapping: Implement link/unlink ranges API")
>Reported-by: Mark Lord <mlord@pobox.com>
>Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
>---
> drivers/iommu/dma-iommu.c | 19 +++++++++++++------
> 1 file changed, 13 insertions(+), 6 deletions(-)
>
>This was discovered because iommupt errors on mapping length=0 instead of
>making it a NOP, so it is an became an issue since commit d6c65b0fd621
>("iommupt: Avoid rewalking during map") making it a regression this merge
>window.
>
>diff --git a/drivers/iommu/dma-iommu.c b/drivers/iommu/dma-iommu.c
>index 54d96e847f161b..381b60d9e7ceaf 100644
>--- a/drivers/iommu/dma-iommu.c
>+++ b/drivers/iommu/dma-iommu.c
>@@ -1918,12 +1918,18 @@ static int iommu_dma_iova_link_swiotlb(struct device *dev,
> return 0;
> }
>
>+ /*
>+ * After removing the partial head and tail, there may be no aligned
>+ * middle left to map. The tail still gets bounced below.
>+ */
> size -= iova_end_pad;
>- error = __dma_iova_link(dev, addr + mapped, phys + mapped, size, dir,
>- attrs);
>- if (error)
>- goto out_unmap;
>- mapped += size;
>+ if (size) {
>+ error = __dma_iova_link(dev, addr + mapped, phys + mapped,
>+ size, dir, attrs);
>+ if (error)
>+ goto out_unmap;
>+ mapped += size;
>+ }
>
> if (iova_end_pad) {
> error = iommu_dma_iova_bounce_and_link(dev, addr + mapped,
>@@ -1936,7 +1942,8 @@ static int iommu_dma_iova_link_swiotlb(struct device *dev,
> return 0;
>
> out_unmap:
>- dma_iova_unlink(dev, state, 0, mapped, dir, attrs);
>+ if (mapped)
>+ dma_iova_unlink(dev, state, offset, mapped, dir, attrs);
> return error;
> }
>
>
>base-commit: 4549871118cf616eecdd2d939f78e3b9e1dddc48
>--
>2.43.0
>
>
Reviewed-by: Samiullah Khawaja <skhawaja@google.com>
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [PATCH rc] iommu/dma: Do not try to iommu_map a 0 length region in swiotlb
2026-06-08 18:10 ` [PATCH rc] iommu/dma: Do not try to iommu_map a 0 length region in swiotlb Jason Gunthorpe
` (2 preceding siblings ...)
2026-06-09 17:03 ` Samiullah Khawaja
@ 2026-06-09 20:26 ` Marek Szyprowski
3 siblings, 0 replies; 5+ messages in thread
From: Marek Szyprowski @ 2026-06-09 20:26 UTC (permalink / raw)
To: Jason Gunthorpe, iommu, Joerg Roedel (AMD), Robin Murphy,
Will Deacon
Cc: Jens Axboe, Christoph Hellwig, Leon Romanovsky, Luis Chamberlain,
Mark Lord, patches, stable
On 08.06.2026 20:10, Jason Gunthorpe wrote:
> iommu_dma_iova_link_swiotlb() processes a mapping that is unaligned in three
> parts, the head, middle and trailer. If the middle is empty because there
> are no aligned pages it will call down to iommu_map() with a 0 size
> which the iommupt implementation will fail as illegal.
>
> It then tries to do an error unwind and starts from the wrong spot
> corrupting the mapping so the eventual destruction triggers a WARN_ON.
>
> Check for 0 length and avoid mapping and use offset not 0 as the starting
> point to unlink.
>
> This is frequently triggered by using some kinds of thunderbolt NVMe
> drives that trigger forced SWIOTLB for unaligned memory. NVMe seems to
> pass in oddly aligned buffers for the passthrough commands from smartctl
> that hit this condition.
>
> Cc: stable@vger.kernel.org
> Fixes: 433a76207dcf ("dma-mapping: Implement link/unlink ranges API")
> Reported-by: Mark Lord <mlord@pobox.com>
> Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Applied to dma-mapping-fixes, thanks!
> ---
> drivers/iommu/dma-iommu.c | 19 +++++++++++++------
> 1 file changed, 13 insertions(+), 6 deletions(-)
>
> This was discovered because iommupt errors on mapping length=0 instead of
> making it a NOP, so it is an became an issue since commit d6c65b0fd621
> ("iommupt: Avoid rewalking during map") making it a regression this merge
> window.
>
> diff --git a/drivers/iommu/dma-iommu.c b/drivers/iommu/dma-iommu.c
> index 54d96e847f161b..381b60d9e7ceaf 100644
> --- a/drivers/iommu/dma-iommu.c
> +++ b/drivers/iommu/dma-iommu.c
> @@ -1918,12 +1918,18 @@ static int iommu_dma_iova_link_swiotlb(struct device *dev,
> return 0;
> }
>
> + /*
> + * After removing the partial head and tail, there may be no aligned
> + * middle left to map. The tail still gets bounced below.
> + */
> size -= iova_end_pad;
> - error = __dma_iova_link(dev, addr + mapped, phys + mapped, size, dir,
> - attrs);
> - if (error)
> - goto out_unmap;
> - mapped += size;
> + if (size) {
> + error = __dma_iova_link(dev, addr + mapped, phys + mapped,
> + size, dir, attrs);
> + if (error)
> + goto out_unmap;
> + mapped += size;
> + }
>
> if (iova_end_pad) {
> error = iommu_dma_iova_bounce_and_link(dev, addr + mapped,
> @@ -1936,7 +1942,8 @@ static int iommu_dma_iova_link_swiotlb(struct device *dev,
> return 0;
>
> out_unmap:
> - dma_iova_unlink(dev, state, 0, mapped, dir, attrs);
> + if (mapped)
> + dma_iova_unlink(dev, state, offset, mapped, dir, attrs);
> return error;
> }
>
>
> base-commit: 4549871118cf616eecdd2d939f78e3b9e1dddc48
Best regards
--
Marek Szyprowski, PhD
Samsung R&D Institute Poland
^ permalink raw reply [flat|nested] 5+ messages in thread