[PATCH AUTOSEL 6.14 295/642] nvme: map uring_cmd data even if address is 0

Caleb Sander Mateos csander at purestorage.com
Mon May 5 16:15:47 PDT 2025 

I wouldn't backport this change to any releases. It's a potential
behavior change if a userspace application was submitting NVMe
passthru commands with a NULL data pointer but nonzero data length and
expecting the data buffer to be ignored. And supporting the data field
set to 0 is only necessary for ublk zero-copy, which is introduced in
6.15.

Best,
Caleb

On Mon, May 5, 2025 at 3:26 PM Sasha Levin <sashal at kernel.org> wrote:
>
> From: Xinyu Zhang <xizhang at purestorage.com>
>
> [ Upstream commit 99fde895ff56ac2241e7b7b4566731d72f2fdaa7 ]
>
> When using kernel registered bvec fixed buffers, the "address" is
> actually the offset into the bvec rather than userspace address.
> Therefore it can be 0.
>
> We can skip checking whether the address is NULL before mapping
> uring_cmd data. Bad userspace address will be handled properly later when
> the user buffer is imported.
>
> With this patch, we will be able to use the kernel registered bvec fixed
> buffers in io_uring NVMe passthru with ublk zero-copy support.
>
> Reviewed-by: Caleb Sander Mateos <csander at purestorage.com>
> Reviewed-by: Jens Axboe <axboe at kernel.dk>
> Reviewed-by: Ming Lei <ming.lei at redhat.com>
> Signed-off-by: Xinyu Zhang <xizhang at purestorage.com>
> Signed-off-by: Keith Busch <kbusch at kernel.org>
> Link: https://lore.kernel.org/r/20250227223916.143006-4-kbusch@meta.com
> Signed-off-by: Jens Axboe <axboe at kernel.dk>
> Signed-off-by: Sasha Levin <sashal at kernel.org>
> ---
>  drivers/nvme/host/ioctl.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/nvme/host/ioctl.c b/drivers/nvme/host/ioctl.c
> index fed6b29098ad3..11509ffd28fb5 100644
> --- a/drivers/nvme/host/ioctl.c
> +++ b/drivers/nvme/host/ioctl.c
> @@ -514,7 +514,7 @@ static int nvme_uring_cmd_io(struct nvme_ctrl *ctrl, struct nvme_ns *ns,
>                 return PTR_ERR(req);
>         req->timeout = d.timeout_ms ? msecs_to_jiffies(d.timeout_ms) : 0;
>
> -       if (d.addr && d.data_len) {
> +       if (d.data_len) {
>                 ret = nvme_map_user_request(req, d.addr,
>                         d.data_len, nvme_to_user_ptr(d.metadata),
>                         d.metadata_len, ioucmd, vec);
> --
> 2.39.5
>

More information about the Linux-nvme mailing list