This is a note to let you know that I've just added the patch titled swiotlb: skip swiotlb_bounce when orig_addr is zero to the 4.19-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: swiotlb-skip-swiotlb_bounce-when-orig_addr-is-zero.patch and it can be found in the queue-4.19 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From liushixin2@xxxxxxxxxx Thu Jun 30 15:25:20 2022 From: Liu Shixin <liushixin2@xxxxxxxxxx> Date: Thu, 30 Jun 2022 19:33:31 +0800 Subject: swiotlb: skip swiotlb_bounce when orig_addr is zero To: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>, Halil Pasic <pasic@xxxxxxxxxxxxx>, Christoph Hellwig <hch@xxxxxx>, Ovidiu Panait <ovidiu.panait@xxxxxxxxxxxxx>, Ben Hutchings <ben@xxxxxxxxxxxxxxx> Cc: <linux-kernel@xxxxxxxxxxxxxxx>, <stable@xxxxxxxxxxxxxxx>, Liu Shixin <liushixin2@xxxxxxxxxx> Message-ID: <20220630113331.1544886-1-liushixin2@xxxxxxxxxx> From: Liu Shixin <liushixin2@xxxxxxxxxx> After patch ddbd89deb7d3 ("swiotlb: fix info leak with DMA_FROM_DEVICE"), swiotlb_bounce will be called in swiotlb_tbl_map_single unconditionally. This requires that the physical address must be valid, which is not always true on stable-4.19 or earlier version. On stable-4.19, swiotlb_alloc_buffer will call swiotlb_tbl_map_single with orig_addr equal to zero, which cause such a panic: Unable to handle kernel paging request at virtual address ffffb77a40000000 ... pc : __memcpy+0x100/0x180 lr : swiotlb_bounce+0x74/0x88 ... Call trace: __memcpy+0x100/0x180 swiotlb_tbl_map_single+0x2c8/0x338 swiotlb_alloc+0xb4/0x198 __dma_alloc+0x84/0x1d8 ... On stable-4.9 and stable-4.14, swiotlb_alloc_coherent wille call map_single with orig_addr equal to zero, which can cause same panic. Fix this by skipping swiotlb_bounce when orig_addr is zero. Fixes: ddbd89deb7d3 ("swiotlb: fix info leak with DMA_FROM_DEVICE") Signed-off-by: Liu Shixin <liushixin2@xxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- kernel/dma/swiotlb.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/kernel/dma/swiotlb.c +++ b/kernel/dma/swiotlb.c @@ -594,7 +594,8 @@ found: * unconditional bounce may prevent leaking swiotlb content (i.e. * kernel memory) to user-space. */ - swiotlb_bounce(orig_addr, tlb_addr, size, DMA_TO_DEVICE); + if (orig_addr) + swiotlb_bounce(orig_addr, tlb_addr, size, DMA_TO_DEVICE); return tlb_addr; } Patches currently in stable-queue which might be from liushixin2@xxxxxxxxxx are queue-4.19/swiotlb-skip-swiotlb_bounce-when-orig_addr-is-zero.patch