[PATCH] block: fix partial IOVA mapping cleanup in blk_rq_dma_map

public inbox for linux-block@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] block: fix partial IOVA mapping cleanup in blk_rq_dma_map_iova
@ 2026-02-11 20:49 Chaitanya Kulkarni
  2026-02-12 10:17 ` Christoph Hellwig
  2026-02-12 11:27 ` Jens Axboe
  0 siblings, 2 replies; 4+ messages in thread
From: Chaitanya Kulkarni @ 2026-02-11 20:49 UTC (permalink / raw)
  To: hch; +Cc: leon, axboe, linux-block, Chaitanya Kulkarni

When dma_iova_link() fails partway through mapping a request's bvec
list, the function breaks out of the loop without cleaning up
already mapped segments. Similarly, if dma_iova_sync() fails after
linking all segments, no cleanup is performed.

This leaves partial IOVA mappings in place. The completion path
attempts to unmap the full expected size via dma_iova_destroy() or
nvme_unmap_data(), but only a partial size was actually mapped,
leading to incorrect unmap operations.

Add an out_unlink error path that calls dma_iova_destroy() to clean
up partial mappings before returning failure. The dma_iova_destroy()
function handles both partial unlink and IOVA space freeing. It
correctly handles the mapped_len == 0 case (first dma_iova_link()
failure) by only freeing the IOVA allocation without attempting to
unmap.

Signed-off-by: Chaitanya Kulkarni <kch@nvidia.com>
---
 block/blk-mq-dma.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/block/blk-mq-dma.c b/block/blk-mq-dma.c
index 3c87779cdc19..bfdb9ed70741 100644
--- a/block/blk-mq-dma.c
+++ b/block/blk-mq-dma.c
@@ -121,17 +121,20 @@ static bool blk_rq_dma_map_iova(struct request *req, struct device *dma_dev,
 		error = dma_iova_link(dma_dev, state, vec->paddr, mapped,
 				vec->len, dir, attrs);
 		if (error)
-			break;
+			goto out_unlink;
 		mapped += vec->len;
 	} while (blk_map_iter_next(req, &iter->iter, vec));

 	error = dma_iova_sync(dma_dev, state, 0, mapped);
-	if (error) {
-		iter->status = errno_to_blk_status(error);
-		return false;
-	}
+	if (error)
+		goto out_unlink;

 	return true;
+
+out_unlink:
+	dma_iova_destroy(dma_dev, state, mapped, dir, attrs);
+	iter->status = errno_to_blk_status(error);
+	return false;
 }

 static inline void blk_rq_map_iter_init(struct request *rq,
-- 
2.39.5

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] block: fix partial IOVA mapping cleanup in blk_rq_dma_map_iova
  2026-02-11 20:49 [PATCH] block: fix partial IOVA mapping cleanup in blk_rq_dma_map_iova Chaitanya Kulkarni
@ 2026-02-12 10:17 ` Christoph Hellwig
  2026-02-15  4:24   ` Chaitanya Kulkarni
  2026-02-12 11:27 ` Jens Axboe
  1 sibling, 1 reply; 4+ messages in thread
From: Christoph Hellwig @ 2026-02-12 10:17 UTC (permalink / raw)
  To: Chaitanya Kulkarni; +Cc: hch, leon, axboe, linux-block

On Wed, Feb 11, 2026 at 12:49:44PM -0800, Chaitanya Kulkarni wrote:
> When dma_iova_link() fails partway through mapping a request's bvec
> list, the function breaks out of the loop without cleaning up
> already mapped segments. Similarly, if dma_iova_sync() fails after
> linking all segments, no cleanup is performed.
> 
> This leaves partial IOVA mappings in place. The completion path
> attempts to unmap the full expected size via dma_iova_destroy() or
> nvme_unmap_data(), but only a partial size was actually mapped,
> leading to incorrect unmap operations.

Do you have a reproducer for this?

Otherwise looks good:

Reviewed-by: Christoph Hellwig <hch@lst.de>


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] block: fix partial IOVA mapping cleanup in blk_rq_dma_map_iova
  2026-02-12 10:17 ` Christoph Hellwig
@ 2026-02-15  4:24   ` Chaitanya Kulkarni
  0 siblings, 0 replies; 4+ messages in thread
From: Chaitanya Kulkarni @ 2026-02-15  4:24 UTC (permalink / raw)
  To: Christoph Hellwig, Chaitanya Kulkarni
  Cc: leon@kernel.org, axboe@kernel.dk, linux-block@vger.kernel.org

On 2/12/26 02:17, Christoph Hellwig wrote:
> On Wed, Feb 11, 2026 at 12:49:44PM -0800, Chaitanya Kulkarni wrote:
>> When dma_iova_link() fails partway through mapping a request's bvec
>> list, the function breaks out of the loop without cleaning up
>> already mapped segments. Similarly, if dma_iova_sync() fails after
>> linking all segments, no cleanup is performed.
>>
>> This leaves partial IOVA mappings in place. The completion path
>> attempts to unmap the full expected size via dma_iova_destroy() or
>> nvme_unmap_data(), but only a partial size was actually mapped,
>> leading to incorrect unmap operations.
> Do you have a reproducer for this?
>
> Otherwise looks good:
>
> Reviewed-by: Christoph Hellwig <hch@lst.de>
>
I don't have a re-producer, I found this bug along with ARM IOMMU bug
purely based on reading the code while chasing another failure.

I think in future error injection in this path would be very useful.

-ck




^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] block: fix partial IOVA mapping cleanup in blk_rq_dma_map_iova
  2026-02-11 20:49 [PATCH] block: fix partial IOVA mapping cleanup in blk_rq_dma_map_iova Chaitanya Kulkarni
  2026-02-12 10:17 ` Christoph Hellwig
@ 2026-02-12 11:27 ` Jens Axboe
  1 sibling, 0 replies; 4+ messages in thread
From: Jens Axboe @ 2026-02-12 11:27 UTC (permalink / raw)
  To: hch, Chaitanya Kulkarni; +Cc: leon, linux-block


On Wed, 11 Feb 2026 12:49:44 -0800, Chaitanya Kulkarni wrote:
> When dma_iova_link() fails partway through mapping a request's bvec
> list, the function breaks out of the loop without cleaning up
> already mapped segments. Similarly, if dma_iova_sync() fails after
> linking all segments, no cleanup is performed.
> 
> This leaves partial IOVA mappings in place. The completion path
> attempts to unmap the full expected size via dma_iova_destroy() or
> nvme_unmap_data(), but only a partial size was actually mapped,
> leading to incorrect unmap operations.
> 
> [...]

Applied, thanks!

[1/1] block: fix partial IOVA mapping cleanup in blk_rq_dma_map_iova
      commit: 81e7223b1a2d63b655ee72577c8579f968d037e3

Best regards,
-- 
Jens Axboe




^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2026-02-15  4:24 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-02-11 20:49 [PATCH] block: fix partial IOVA mapping cleanup in blk_rq_dma_map_iova Chaitanya Kulkarni
2026-02-12 10:17 ` Christoph Hellwig
2026-02-15  4:24   ` Chaitanya Kulkarni
2026-02-12 11:27 ` Jens Axboe

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox