CVE-2024-35814

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> swiotlb: Fix double-allocation of slots due to broken alignment handling<br /> <br /> Commit bbb73a103fbb ("swiotlb: fix a braino in the alignment check fix"),<br /> which was a fix for commit 0eee5ae10256 ("swiotlb: fix slot alignment<br /> checks"), causes a functional regression with vsock in a virtual machine<br /> using bouncing via a restricted DMA SWIOTLB pool.<br /> <br /> When virtio allocates the virtqueues for the vsock device using<br /> dma_alloc_coherent(), the SWIOTLB search can return page-unaligned<br /> allocations if &amp;#39;area-&gt;index&amp;#39; was left unaligned by a previous allocation<br /> from the buffer:<br /> <br /> # Final address in brackets is the SWIOTLB address returned to the caller<br /> | virtio-pci 0000:00:07.0: orig_addr 0x0 alloc_size 0x2000, iotlb_align_mask 0x800 stride 0x2: got slot 1645-1649/7168 (0x98326800)<br /> | virtio-pci 0000:00:07.0: orig_addr 0x0 alloc_size 0x2000, iotlb_align_mask 0x800 stride 0x2: got slot 1649-1653/7168 (0x98328800)<br /> | virtio-pci 0000:00:07.0: orig_addr 0x0 alloc_size 0x2000, iotlb_align_mask 0x800 stride 0x2: got slot 1653-1657/7168 (0x9832a800)<br /> <br /> This ends badly (typically buffer corruption and/or a hang) because<br /> swiotlb_alloc() is expecting a page-aligned allocation and so blindly<br /> returns a pointer to the &amp;#39;struct page&amp;#39; corresponding to the allocation,<br /> therefore double-allocating the first half (2KiB slot) of the 4KiB page.<br /> <br /> Fix the problem by treating the allocation alignment separately to any<br /> additional alignment requirements from the device, using the maximum<br /> of the two as the stride to search the buffer slots and taking care<br /> to ensure a minimum of page-alignment for buffers larger than a page.<br /> <br /> This also resolves swiotlb allocation failures occuring due to the<br /> inclusion of ~PAGE_MASK in &amp;#39;iotlb_align_mask&amp;#39; for large allocations and<br /> resulting in alignment requirements exceeding swiotlb_max_mapping_size().