diff options
Diffstat (limited to 'debian/patches/bugfix/all/swiotlb-skip-swiotlb_bounce-when-orig_addr-is-zero.patch')
| -rw-r--r-- | debian/patches/bugfix/all/swiotlb-skip-swiotlb_bounce-when-orig_addr-is-zero.patch | 47 |
1 files changed, 47 insertions, 0 deletions
diff --git a/debian/patches/bugfix/all/swiotlb-skip-swiotlb_bounce-when-orig_addr-is-zero.patch b/debian/patches/bugfix/all/swiotlb-skip-swiotlb_bounce-when-orig_addr-is-zero.patch new file mode 100644 index 000000000..df77ca0b2 --- /dev/null +++ b/debian/patches/bugfix/all/swiotlb-skip-swiotlb_bounce-when-orig_addr-is-zero.patch @@ -0,0 +1,47 @@ +From: Liu Shixin <liushixin2@huawei.com> +Date: Thu, 30 Jun 2022 19:33:31 +0800 +Subject: swiotlb: skip swiotlb_bounce when orig_addr is zero +Origin: https://lore.kernel.org/stable/20220630113331.1544886-1-liushixin2@huawei.com/ + +After patch ddbd89deb7d3 ("swiotlb: fix info leak with DMA_FROM_DEVICE"), +swiotlb_bounce will be called in swiotlb_tbl_map_single unconditionally. +This requires that the physical address must be valid, which is not always +true on stable-4.19 or earlier version. +On stable-4.19, swiotlb_alloc_buffer will call swiotlb_tbl_map_single with +orig_addr equal to zero, which cause such a panic: + +Unable to handle kernel paging request at virtual address ffffb77a40000000 +... +pc : __memcpy+0x100/0x180 +lr : swiotlb_bounce+0x74/0x88 +... +Call trace: + __memcpy+0x100/0x180 + swiotlb_tbl_map_single+0x2c8/0x338 + swiotlb_alloc+0xb4/0x198 + __dma_alloc+0x84/0x1d8 + ... + +On stable-4.9 and stable-4.14, swiotlb_alloc_coherent wille call map_single +with orig_addr equal to zero, which can cause same panic. + +Fix this by skipping swiotlb_bounce when orig_addr is zero. + +Fixes: ddbd89deb7d3 ("swiotlb: fix info leak with DMA_FROM_DEVICE") +Signed-off-by: Liu Shixin <liushixin2@huawei.com> +--- + kernel/dma/swiotlb.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/kernel/dma/swiotlb.c ++++ b/kernel/dma/swiotlb.c +@@ -594,7 +594,8 @@ found: + * unconditional bounce may prevent leaking swiotlb content (i.e. + * kernel memory) to user-space. + */ +- swiotlb_bounce(orig_addr, tlb_addr, size, DMA_TO_DEVICE); ++ if (orig_addr) ++ swiotlb_bounce(orig_addr, tlb_addr, size, DMA_TO_DEVICE); + return tlb_addr; + } + |