This is a note to let you know that I've just added the patch titled
swiotlb: fix out-of-bounds TLB allocations with CONFIG_SWIOTLB_DYNAMIC
to the 6.6-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
swiotlb-fix-out-of-bounds-tlb-allocations-with-config_swiotlb_dynamic.patch
and it can be found in the queue-6.6 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From 53c87e846e335e3c18044c397cc35178163d7827 Mon Sep 17 00:00:00 2001
From: Petr Tesarik <petr.tesarik1@xxxxxxxxxxxxxxxxxxx>
Date: Wed, 8 Nov 2023 12:12:49 +0100
Subject: swiotlb: fix out-of-bounds TLB allocations with CONFIG_SWIOTLB_DYNAMIC
From: Petr Tesarik <petr.tesarik1@xxxxxxxxxxxxxxxxxxx>
commit 53c87e846e335e3c18044c397cc35178163d7827 upstream.
Limit the free list length to the size of the IO TLB. Transient pool can be
smaller than IO_TLB_SEGSIZE, but the free list is initialized with the
assumption that the total number of slots is a multiple of IO_TLB_SEGSIZE.
As a result, swiotlb_area_find_slots() may allocate slots past the end of
a transient IO TLB buffer.
Reported-by: Niklas Schnelle <schnelle@xxxxxxxxxxxxx>
Closes: https://lore.kernel.org/linux-iommu/104a8c8fedffd1ff8a2890983e2ec1c26bff6810.camel@xxxxxxxxxxxxx/
Fixes: 79636caad361 ("swiotlb: if swiotlb is full, fall back to a transient memory pool")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Petr Tesarik <petr.tesarik1@xxxxxxxxxxxxxxxxxxx>
Reviewed-by: Halil Pasic <pasic@xxxxxxxxxxxxx>
Signed-off-by: Christoph Hellwig <hch@xxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
kernel/dma/swiotlb.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/kernel/dma/swiotlb.c b/kernel/dma/swiotlb.c
index 71392c9fac10..33d942615be5 100644
--- a/kernel/dma/swiotlb.c
+++ b/kernel/dma/swiotlb.c
@@ -283,7 +283,8 @@ static void swiotlb_init_io_tlb_pool(struct io_tlb_pool *mem, phys_addr_t start,
}
for (i = 0; i < mem->nslabs; i++) {
- mem->slots[i].list = IO_TLB_SEGSIZE - io_tlb_offset(i);
+ mem->slots[i].list = min(IO_TLB_SEGSIZE - io_tlb_offset(i),
+ mem->nslabs - i);
mem->slots[i].orig_addr = INVALID_PHYS_ADDR;
mem->slots[i].alloc_size = 0;
}
--
2.43.0
Patches currently in stable-queue which might be from petr.tesarik1@xxxxxxxxxxxxxxxxxxx are
queue-6.6/swiotlb-fix-out-of-bounds-tlb-allocations-with-config_swiotlb_dynamic.patch
queue-6.6/swiotlb-do-not-free-decrypted-pages-if-dynamic.patch
