CVE-2023-52910

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iommu/iova: Fix alloc iova overflows issue<br /> <br /> In __alloc_and_insert_iova_range, there is an issue that retry_pfn<br /> overflows. The value of iovad-&gt;anchor.pfn_hi is ~0UL, then when<br /> iovad-&gt;cached_node is iovad-&gt;anchor, curr_iova-&gt;pfn_hi + 1 will<br /> overflow. As a result, if the retry logic is executed, low_pfn is<br /> updated to 0, and then new_pfn cached_node is assigned as iovad-&gt;anchor. For<br /> example, the iova domain size is 10M, start_pfn is 0x1_F000_0000,<br /> and the iova size allocated for the first time is 11M. The<br /> following is the log information, new-&gt;pfn_lo is smaller than<br /> iovad-&gt;cached_node.<br /> <br /> Example log as follows:<br /> [ 223.798112][T1705487] sh: [name:iova&amp;]__alloc_and_insert_iova_range<br /> start_pfn:0x1f0000,retry_pfn:0x0,size:0xb00,limit_pfn:0x1f0a00<br /> [ 223.799590][T1705487] sh: [name:iova&amp;]__alloc_and_insert_iova_range<br /> success start_pfn:0x1f0000,new-&gt;pfn_lo:0x1efe00,new-&gt;pfn_hi:0x1f08ff<br /> <br /> 2. The node with the largest iova-&gt;pfn_lo value in the iova domain<br /> is deleted, iovad-&gt;cached_node will be updated to iovad-&gt;anchor,<br /> and then the alloc iova size exceeds the maximum iova size that can<br /> be allocated in the domain.<br /> <br /> After judging that retry_pfn is less than limit_pfn, call retry_pfn+1<br /> to fix the overflow issue.