[PATCH V1] nvme-pci: Fix NULL pointer dereference in nvme_pci_prp_iter_next
Keith Busch
kbusch at kernel.org
Mon Feb 2 09:13:24 PST 2026
On Mon, Feb 02, 2026 at 03:16:50PM +0000, Robin Murphy wrote:
> On 2026-02-02 2:35 pm, Christoph Hellwig wrote:
> > On Mon, Feb 02, 2026 at 06:27:38PM +0530, Pradeep P V K wrote:
> > > Fix a NULL pointer dereference that occurs in nvme_pci_prp_iter_next()
> > > when SWIOTLB bounce buffering becomes active during runtime.
> > >
> > > The issue occurs when SWIOTLB activation changes the device's DMA
> > > mapping requirements at runtime,
> > >
> > > creating a mismatch between
> > > iod->dma_vecs allocation and access logic.
> > >
> > > The problem manifests when:
> > > 1. Device initially operates with dma_skip_sync=true
> > > (coherent DMA assumed)
> > > 2. First SWIOTLB mapping occurs due to DMA address limitations,
> > > memory encryption, or IOMMU bounce buffering requirements
> > > 3. SWIOTLB calls dma_reset_need_sync(), permanently setting
> > > dma_skip_sync=false
> > > 4. Subsequent I/Os now have dma_need_unmap()=true, requiring
> > > iod->dma_vecs
> >
> > I think this patch just papers over the bug. If dma_need_unmap
> > can't be trusted before the dma_map_* call, we've not saved
> > the unmap information and the unmap won't work properly.
>
> The dma_need_unmap() kerneldoc says:
>
> "This function must be called after all mappings that might
> need to be unmapped have been performed."
>
> Trying to infer anything from it beforehand is definitely a bug in the
> caller.
Well that doesn't really make sense. No matter how many mappings the
driver has done, there will always be more. ?
More information about the Linux-nvme
mailing list