Petr Tesarik ce7612496a swiotlb: fix out-of-bounds TLB allocations with CONFIG_SWIOTLB_DYNAMIC
commit 53c87e846e335e3c18044c397cc35178163d7827 upstream.

Limit the free list length to the size of the IO TLB. Transient pool can be
smaller than IO_TLB_SEGSIZE, but the free list is initialized with the
assumption that the total number of slots is a multiple of IO_TLB_SEGSIZE.
As a result, swiotlb_area_find_slots() may allocate slots past the end of
a transient IO TLB buffer.

Reported-by: Niklas Schnelle <schnelle@linux.ibm.com>
Closes: https://lore.kernel.org/linux-iommu/104a8c8fedffd1ff8a2890983e2ec1c26bff6810.camel@linux.ibm.com/
Fixes: 79636caad361 ("swiotlb: if swiotlb is full, fall back to a transient memory pool")
Cc: stable@vger.kernel.org
Signed-off-by: Petr Tesarik <petr.tesarik1@huawei-partners.com>
Reviewed-by: Halil Pasic <pasic@linux.ibm.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2023-11-28 17:20:13 +00:00
..
2023-09-05 11:01:47 -07:00
2023-11-28 17:19:54 +00:00
2023-11-28 17:19:59 +00:00
2023-08-30 08:17:35 -07:00
2022-09-26 10:13:13 -07:00
2023-08-18 10:18:49 -07:00
2023-09-01 15:44:45 -07:00
2023-03-24 11:01:29 +01:00
2023-08-30 09:16:56 -07:00
2023-11-28 17:19:40 +00:00
2023-08-23 09:38:17 +09:00
2023-06-28 15:51:08 -07:00
2023-09-19 13:21:33 -07:00
2023-06-28 16:05:21 -07:00
2023-08-15 15:26:17 -07:00