[PATCH 3/6] dax/fsdev: fix kaddr for multi-range and fail probe on invalid pgmap offset

Mon, 18 May 2026 14:41:48 -0700 

From: John Groves <[email protected]>

Two fixes for virtual address handling in fsdev:

1. Use __va(phys) instead of virt_addr + linear_offset for the kaddr
   return in __fsdev_dax_direct_access(). The previous code added a
   device-linear byte offset to virt_addr (which is __va of ranges[0]),
   but for multi-range devices with physical gaps between ranges, this
   linear arithmetic crosses the gap and produces a wrong kernel virtual
   address. Using __va(phys) where phys comes from dax_pgoff_to_phys()
   is correct for any range layout because the direct map translates
   each physical address independently.

2. Convert the WARN_ON to a fatal error when pgmap_phys > phys. This
   condition means the remapped region starts after the device's data
   region, which is an impossible state. Previously the probe continued
   with data_offset=0, leaving virt_addr silently misaligned. Now probe
   returns -EINVAL with a diagnostic message.

Fixes: 759455848df0b ("dax: Save the kva from memremap")
Signed-off-by: John Groves <[email protected]>
---
 drivers/dax/fsdev.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/drivers/dax/fsdev.c b/drivers/dax/fsdev.c
index de7e6dee68386..bf0ba1f1f0b76 100644
--- a/drivers/dax/fsdev.c
+++ b/drivers/dax/fsdev.c
@@ -51,7 +51,6 @@ static long __fsdev_dax_direct_access(struct dax_device 
*dax_dev, pgoff_t pgoff,
        struct dev_dax *dev_dax = dax_get_private(dax_dev);
        size_t size = nr_pages << PAGE_SHIFT;
        size_t offset = pgoff << PAGE_SHIFT;
-       void *virt_addr = dev_dax->virt_addr + offset;
        phys_addr_t phys;
 
        phys = dax_pgoff_to_phys(dev_dax, pgoff, size);
@@ -62,7 +61,7 @@ static long __fsdev_dax_direct_access(struct dax_device 
*dax_dev, pgoff_t pgoff,
        }
 
        if (kaddr)
-               *kaddr = virt_addr;
+               *kaddr = __va(phys);
 
        if (pfn)
                *pfn = PHYS_PFN(phys);
@@ -311,8 +310,13 @@ static int fsdev_dax_probe(struct dev_dax *dev_dax)
                u64 phys = dev_dax->ranges[0].range.start;
                u64 pgmap_phys = dev_dax->pgmap[0].range.start;
 
-               if (!WARN_ON(pgmap_phys > phys))
-                       data_offset = phys - pgmap_phys;
+               if (pgmap_phys > phys) {
+                       dev_err(dev, "pgmap start %#llx exceeds data start 
%#llx\n",
+                               pgmap_phys, phys);
+                       rc = -EINVAL;
+                       goto err_pgmap;
+               }
+               data_offset = phys - pgmap_phys;
 
                pr_debug("%s: offset detected phys=%llx pgmap_phys=%llx 
offset=%llx\n",
                       __func__, phys, pgmap_phys, data_offset);
-- 
2.53.0

Reply via email to