[PATCH RFC] iommu/dma: Validate page before accessing P2PDMA state
From: Ashish Mhetre
Date: Tue Feb 24 2026 - 05:44:52 EST
When mapping scatter-gather entries that reference reserved
memory regions without struct page backing (e.g., bootloader created
carveouts), is_pci_p2pdma_page() dereferences the page pointer
returned by sg_page() without first verifying its validity.
This causes a kernel paging fault when CONFIG_PCI_P2PDMA is enabled
and dma_map_sg_attrs() is called for memory regions that have no
associated struct page:
Unable to handle kernel paging request at virtual address fffffc007d100000
...
Call trace:
iommu_dma_map_sg+0x118/0x414
dma_map_sg_attrs+0x38/0x44
Fix this by adding a pfn_valid() check before calling
is_pci_p2pdma_page(). If the page frame number is invalid, skip the
P2PDMA check entirely as such memory cannot be P2PDMA memory anyway.
Signed-off-by: Ashish Mhetre <amhetre@xxxxxxxxxx>
---
drivers/iommu/dma-iommu.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/iommu/dma-iommu.c b/drivers/iommu/dma-iommu.c
index 5dac64be61bb..5f45f33b23c2 100644
--- a/drivers/iommu/dma-iommu.c
+++ b/drivers/iommu/dma-iommu.c
@@ -1423,6 +1423,9 @@ int iommu_dma_map_sg(struct device *dev, struct scatterlist *sg, int nents,
size_t s_length = s->length;
size_t pad_len = (mask - iova_len + 1) & mask;
+ if (!pfn_valid(page_to_pfn(sg_page(s))))
+ goto post_pci_p2pdma;
+
switch (pci_p2pdma_state(&p2pdma_state, dev, sg_page(s))) {
case PCI_P2PDMA_MAP_THRU_HOST_BRIDGE:
/*
@@ -1449,6 +1452,7 @@ int iommu_dma_map_sg(struct device *dev, struct scatterlist *sg, int nents,
goto out_restore_sg;
}
+post_pci_p2pdma:
sg_dma_address(s) = s_iova_off;
sg_dma_len(s) = s_length;
s->offset -= s_iova_off;
--
2.25.1