[PATCH V1] nvme-pci: Fix NULL pointer dereference in nvme_pci_prp_iter_next
Christoph Hellwig
hch at lst.de
Mon Feb 2 09:36:24 PST 2026
On Mon, Feb 02, 2026 at 10:13:24AM -0700, Keith Busch wrote:
> > "This function must be called after all mappings that might
> > need to be unmapped have been performed."
> >
> > Trying to infer anything from it beforehand is definitely a bug in the
> > caller.
>
> Well that doesn't really make sense. No matter how many mappings the
> driver has done, there will always be more. ?
Yeah. It's more like if this returns true, all future calls, plus
the previous one (which might have caused this). For that something
like the patch below should work in nvme. Totally untested as I'm
about to head away from the desk and prepare dinner.
diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
index 2a52cf46d960..f944b747e1bd 100644
--- a/drivers/nvme/host/pci.c
+++ b/drivers/nvme/host/pci.c
@@ -816,6 +816,22 @@ static void nvme_unmap_data(struct request *req)
nvme_free_descriptors(req);
}
+static bool nvme_pci_alloc_dma_vecs(struct request *req,
+ struct blk_dma_iter *iter)
+{
+ struct nvme_iod *iod = blk_mq_rq_to_pdu(req);
+ struct nvme_queue *nvmeq = req->mq_hctx->driver_data;
+
+ iod->dma_vecs = mempool_alloc(nvmeq->dev->dmavec_mempool,
+ GFP_ATOMIC);
+ if (!iod->dma_vecs)
+ return false;
+ iod->dma_vecs[0].addr = iter->addr;
+ iod->dma_vecs[0].len = iter->len;
+ iod->nr_dma_vecs = 1;
+ return true;
+}
+
static bool nvme_pci_prp_iter_next(struct request *req, struct device *dma_dev,
struct blk_dma_iter *iter)
{
@@ -826,6 +842,8 @@ static bool nvme_pci_prp_iter_next(struct request *req, struct device *dma_dev,
if (!blk_rq_dma_map_iter_next(req, dma_dev, iter))
return false;
if (!dma_use_iova(&iod->dma_state) && dma_need_unmap(dma_dev)) {
+ if (!iod->nr_dma_vecs && !nvme_pci_alloc_dma_vecs(req, iter))
+ return false;
iod->dma_vecs[iod->nr_dma_vecs].addr = iter->addr;
iod->dma_vecs[iod->nr_dma_vecs].len = iter->len;
iod->nr_dma_vecs++;
@@ -844,13 +862,8 @@ static blk_status_t nvme_pci_setup_data_prp(struct request *req,
__le64 *prp_list;
if (!dma_use_iova(&iod->dma_state) && dma_need_unmap(nvmeq->dev->dev)) {
- iod->dma_vecs = mempool_alloc(nvmeq->dev->dmavec_mempool,
- GFP_ATOMIC);
- if (!iod->dma_vecs)
+ if (!nvme_pci_alloc_dma_vecs(req, iter))
return BLK_STS_RESOURCE;
- iod->dma_vecs[0].addr = iter->addr;
- iod->dma_vecs[0].len = iter->len;
- iod->nr_dma_vecs = 1;
}
/*
More information about the Linux-nvme
mailing list