[PATCH V1] nvme-pci: Fix NULL pointer dereference in nvme_pci_prp_iter_next
Christoph Hellwig
hch at lst.de
Mon Feb 2 06:35:48 PST 2026
On Mon, Feb 02, 2026 at 06:27:38PM +0530, Pradeep P V K wrote:
> Fix a NULL pointer dereference that occurs in nvme_pci_prp_iter_next()
> when SWIOTLB bounce buffering becomes active during runtime.
>
> The issue occurs when SWIOTLB activation changes the device's DMA
> mapping requirements at runtime,
>
> creating a mismatch between
> iod->dma_vecs allocation and access logic.
>
> The problem manifests when:
> 1. Device initially operates with dma_skip_sync=true
> (coherent DMA assumed)
> 2. First SWIOTLB mapping occurs due to DMA address limitations,
> memory encryption, or IOMMU bounce buffering requirements
> 3. SWIOTLB calls dma_reset_need_sync(), permanently setting
> dma_skip_sync=false
> 4. Subsequent I/Os now have dma_need_unmap()=true, requiring
> iod->dma_vecs
I think this patch just papers over the bug. If dma_need_unmap
can't be trusted before the dma_map_* call, we've not saved
the unmap information and the unmap won't work properly.
So we'll need to extend the core code to tell if a mapping
will set dma_skip_sync=false before doing the mapping.
More information about the Linux-nvme
mailing list