From nobody Sat Jun 20 20:01:53 2026 Received: from mail-yx1-f46.google.com (mail-yx1-f46.google.com [74.125.224.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E0D733A9605 for ; Fri, 10 Apr 2026 22:29:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=pass smtp.client-ip=74.125.224.46 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775860177; cv=pass; b=UXqA3n0epOSS3iCJ3VNWAhLyPZ+82SP/wbV2lGJ5ivIw/BLIjrUF++BT0AbTqUX7tebrO3rV5s2uzihGRzKdlQSsHBMMmSRg95/0GG3X4Ywq8aoqf1zc7kdmUV3iFnVbMUd8cd9Rq1uPWYEllqChF5+fXdLvPnuCyhvksifEDw4= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775860177; c=relaxed/simple; bh=P3xAMyNg59off9ek6FrdUi52ihgUQ0WPky+vT1B/pDA=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=HmnrA9USIbxlhCgh/Jn/QJ2HYxRz6LjQ2eaXteT6awvLLyWTsvAgKWfG6bngvKuKuDebKc1F80DSe6w5+WHHPUwC6O8nr5wmiXwjR7pg6kDTZjN4Pgi1r1NxEg4htrTmpEgay1ppswcR30g9zGa2SYJvrGQBOggmyzbCsF1aZm4= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=uber.com; spf=fail smtp.mailfrom=uber.com; dkim=pass (1024-bit key) header.d=uber.com header.i=@uber.com header.b=PP5uF/93; arc=pass smtp.client-ip=74.125.224.46 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=uber.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=uber.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=uber.com header.i=@uber.com header.b="PP5uF/93" Received: by mail-yx1-f46.google.com with SMTP id 956f58d0204a3-6500eae6d2fso3563436d50.1 for ; Fri, 10 Apr 2026 15:29:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1775860175; cv=none; d=google.com; s=arc-20240605; b=hqHmvK7c3PAzXb52T5V0mC+dilHqJi28S0WItBUSPav6KVSZrlq/0cXlBmIbDarH+1 2GQbmGKT9U5duntMNNSzGpXHTxyBdGgqJFrq4O6UQP2HMaSHk28qTzV+zTJCINoxXa/0 a50WXOx7c35BJvZeElCKT784EShqWcy9ul+S7V+mAh+sp5h2ZwzDvXfQazaCap1YNgPK mM8by66oWzHH8qvWdUKueuyy0WBq4pJhueD5me/dlXIikUObpd4VE1OrCMrXZ6w3My2K MUgrJmYpuc4NBtMI9D6ZrhNoBbhf5QXPtVVGXNtBQSX/hpECPB3F5FB+ZLMKz4huQ5os 0o5Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=RLxY3RUXio63RMFVV2S/82uTKGXRqhW5FspTC735xUQ=; fh=n6CmZu5xHArIuY5kARXtFW4p/6wfGkRQzj6DTZrr4Ts=; b=RW9j7Voyc8on54xv0L6PwQbMZY6V5n1vcyg2lrPlXr8a+fo9VucyOb/7qoDzSTkn1Y QNojKngIjVX/2dT/V25uV4GogyqNl6Mtb4hCunpd+p9tJ6VpEPpPFDoi8NA+QUHFDSWA jddQF1ZQ7O1Vl35gKBe4cqtf6O83+Piess0ZsrT6gUw1lwi1MiHQiBgK4IfNkDlbTYDa hKD3pFYU77U0B9/k3Q8NQVGHchyPrEmuFxc+PmF5AueK8l5y2+58vczQDPNTgSIE2m0L fGtN4uvpC5ecN5S9NukQV/tA9rYox9wY8vfuwFEW9nMO1MWd6ZxjTOADTTbTSsJnVjLF 62NA==; darn=vger.kernel.org ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uber.com; s=google; t=1775860175; x=1776464975; darn=vger.kernel.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=RLxY3RUXio63RMFVV2S/82uTKGXRqhW5FspTC735xUQ=; b=PP5uF/93b63bX0hnlhDQop4umIiu7Gkno7ETun0hnwjoYvbhLH5StQeACAzx26YtTr 0oiucyw4dP7VnSBEHZYfZshFQw+KbO8QxrK6NmKtur+be7JNTb0TsBg1Tk+0tIVKdQV8 dADqc+IaPqjra7d3AxvngatLIWJtOrQtC1dqc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775860175; x=1776464975; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=RLxY3RUXio63RMFVV2S/82uTKGXRqhW5FspTC735xUQ=; b=qK7xMDsjKqg96NCIcA/goxAM3NxnkbS8ktWvxJ52LN+xue9FUlc+LKfiuBjpniRvYI wNu9Tv4/lucnVQty9QzKt1f69LWq0uIA6NmRePNRWfHFNqZkffbQwIH5Qjoa7EkDStmG ReDxdjJltaHbE3Rza9ZUr5UbAgFIru/5xiFXrdcup37BYsakv4FIJNtCYI/q8+eyHoYh z9Uk+3Dc4YxiKAysc/faQx5gr0AUqLV3/NJgmGG2fhtmhozKZu/JLsMpSGY+3AIL2cpk J44I/1JF6yPJvT8980NUYI31ok9zkJwlEnMPzEHjRbUITz2RgzQWv04FrJ99LaqEkJJf RDNg== X-Forwarded-Encrypted: i=1; AJvYcCVaS0afo6C65tG+EDpwNlzRJAPncSqYwa3SISkG0DAnCW1tYVmNtkvgjA4vPzJFOPdZnajKXH2z+eSrXf8=@vger.kernel.org X-Gm-Message-State: AOJu0YxFBHQfRDsGvaqf037piuZ34IIaZn9s9axnWVwjoMb2s3zPZK8h x4CLtMYJ2EBNEXU6yJqSRnPNd/3v8E4Pxnfz8zPg4OXgkmBa2BDYJr91Ydb8fcEa2Xmv/qeSDmW A+Yu2zVlq+MDuTY5+lSpMoQeGmVrcaer2+pewo3YUfA== X-Gm-Gg: AeBDievCMTiiTi95wKtemVpzqUmE90gx+t+w/YaKS+5C30cuxGX4JRn1CQKTl5DsRtK pQcIQA2SkgLonMtpDD1TvEK3P5OyLCoQdfG0Ti0kML4fylMhaEkoT+wnqbY6mTak26YN/WmR2Ha SJwCf4YMVU4XqhEJB2FGeeTVIEFukEQTmOmRDzDtRH/edvr0byc/mrNM/7sNsFzHEhVYVCi0p2I 7+Ynxq/8QcEwfX2M+FYvapBCweFHVQC6QnWJJwtlLlDXPmHPbpQevvMaFZIVUlnuWIUsSv2Ra7M H4PLaf2N X-Received: by 2002:a05:690c:6d84:b0:79a:4fe4:ff4b with SMTP id 00721157ae682-7af71b567a3mr57702457b3.37.1775860174404; Fri, 10 Apr 2026 15:29:34 -0700 (PDT) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: In-Reply-To: From: Alireza Haghdoost Date: Fri, 10 Apr 2026 15:29:18 -0700 X-Gm-Features: AQROBzDIB9oFAIunzApXxKG1DD_NAHg0n4-3ye3q9P7oRIP4fQdJ0M1mHx2g3pg Message-ID: Subject: [PATCH] nvme-pci: fix swapped arguments in SGL DMA unmap path To: linux-nvme@lists.infradead.org Cc: linux-iommu@vger.kernel.org, iommu@lists.linux.dev, jroedel@suse.de, Robin Murphy , will@kernel.org, Nagi Parimi , Kshitij Doshi , Jeff Bean , Vikrant Soman , kbusch@kernel.org, xboe@kernel.dk, hch@lst.de, sagi@grimberg.me, leon@kernel.org, linux-kernel@vger.kernel.org Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The arguments to nvme_free_sgls() in nvme_unmap_data() are swapped for the multi-entry SGL case. The first argument (sge) should be the segment descriptor from the NVMe command's data pointer (type NVME_SGL_FMT_LAST_SEG_DESC), and the second argument (sg_list) should be the pool-allocated array of data descriptors. With the arguments swapped, sge points to the first data descriptor (type NVME_SGL_FMT_DATA_DESC). nvme_free_sgls() sees a data descriptor, unmaps only that single entry, and returns -- leaking the DMA mappings for all subsequent segments. This manifests as unbounded iommu_iova slab growth on ARM64 systems with 64K pages and IOMMU DMA translation, where IOVA coalescing is disabled due to the NVMe 4K page / IOMMU 64K page granularity mismatch. On x86 and ARM64 with 4K pages, IOVA coalescing handles the unmap via dma_iova_destroy() and the buggy path is never reached. Fixes: 7ce3c1dd78fc ("nvme-pci: convert the data mapping to blk_rq_dma_map") Signed-off-by: Alireza Haghdoost --- drivers/nvme/host/pci.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c index 28f638413e122..728999e4247d8 100644 --- a/drivers/nvme/host/pci.c +++ b/drivers/nvme/host/pci.c @@ -761,8 +761,8 @@ static void nvme_unmap_data(struct request *req) if (!blk_rq_dma_unmap(req, dma_dev, &iod->dma_state, iod->total_len= )) { if (nvme_pci_cmd_use_sgl(&iod->cmd)) - nvme_free_sgls(req, iod->descriptors[0], - &iod->cmd.common.dptr.sgl); + nvme_free_sgls(req, &iod->cmd.common.dptr.sgl, + iod->descriptors[0]); else nvme_free_prps(req); } --=20 2.39.5