Skip to content

nvme/util: support multi-page prplists in PRP #53

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
minwooim merged 1 commit into from
Mar 18, 2026
Merged

nvme/util: support multi-page prplists in PRP #53

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 22 additions & 10 deletions src/nvme/util.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -142,7 +142,8 @@
return nvme_sync(ctrl, ctrl->adminq.sq, sqe, buf, len, cqe_copy);
}

static inline int __map_prp_first(leint64_t *prp1, leint64_t *prplist, uint64_t iova, size_t len,
static inline int __map_prp_first(leint64_t *prp1, leint64_t *prplist,
uint64_t prplist_iova, uint64_t iova, size_t len,
int pageshift)
{
size_t pagesize = 1 << pageshift;
Expand All @@ -151,6 +152,9 @@
/* number of prps required to map the buffer */
int prpcount = 1;

uint64_t __prplist_iova = prplist_iova;
leint64_t *__prplist = prplist;

*prp1 = cpu_to_le64(iova);

/* account for what is covered with the first prp */
Expand All @@ -164,17 +168,23 @@
/* align down to simplify loop below */
iova = ALIGN_DOWN(iova, pagesize);

if (prpcount > max_prps) {
errno = EINVAL;
return -1;
}

/*
* Map the remaining parts of the buffer into prp2/prplist. iova will be
* aligned from the above, which simplifies this.
*/
for (int i = 1; i < prpcount; i++)
prplist[i - 1] = cpu_to_le64(iova + ((uint64_t)i << pageshift));
for (int i = 1, pos = 0; i < prpcount; i++) {
if (pos == max_prps - 1) {
uint64_t next_iova = __prplist_iova + pagesize;
__prplist[pos] = cpu_to_le64(next_iova);

Check warning on line 178 in src/nvme/util.c

View workflow job for this annotation

GitHub Actions / check-patch 

Missing a blank line after declarations

__prplist = (leint64_t *)((char *)__prplist + pagesize);
Copy link
Copy Markdown

@lsgunth lsgunth May 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is essentially a memory overrun.

__prplist is a pointer to a 4KB chunk of memory that is a subset of memory allocated in __nvme_configure_sq(). This change overruns the memory assigned to this request and tramples over the memory in the next request; or in the case of the last request it may run passed the iommu mapping and fail.

It also breaks the test in rq_test which is expecting a limit enforcing max_prps.

I recommend reverting this commit. A more correct solution would require allocating another buffer, creating an ephemeral mapping and tearing that all down when the request is complete.

Copy link
Copy Markdown
Collaborator Author

@minwooim minwooim May 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Indeed, let me revert it back first and make some fixes on this. Thanks

__prplist_iova = next_iova;

pos = 0;
}

__prplist[pos++] = cpu_to_le64(iova + ((uint64_t)i << pageshift));
}

/*
* prpcount may be zero if the buffer length was less than the page
Expand Down Expand Up @@ -232,7 +242,8 @@
return -1;
}

prpcount = __map_prp_first(&cmd->dptr.prp1, prplist, iova, len, pageshift);
prpcount = __map_prp_first(&cmd->dptr.prp1, prplist, prplist_iova,
iova, len, pageshift);
if (prpcount < 0) {
errno = EINVAL;
return -1;
Expand Down Expand Up @@ -314,7 +325,8 @@
}

/* map the first segment */
prpcount = __map_prp_first(&cmd->dptr.prp1, prplist, iova, len, pageshift);
prpcount = __map_prp_first(&cmd->dptr.prp1, prplist, prplist_iova,
iova, len, pageshift);
if (prpcount < 0)
goto invalid;

Expand Down
Loading