CVE-2022-48795

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> parisc: Fix data TLB miss in sba_unmap_sg<br /> <br /> Rolf Eike Beer reported the following bug:<br /> <br /> [1274934.746891] Bad Address (null pointer deref?): Code=15 (Data TLB miss fault) at addr 0000004140000018<br /> [1274934.746891] CPU: 3 PID: 5549 Comm: cmake Not tainted 5.15.4-gentoo-parisc64 #4<br /> [1274934.746891] Hardware name: 9000/785/C8000<br /> [1274934.746891]<br /> [1274934.746891] YZrvWESTHLNXBCVMcbcbcbcbOGFRQPDI<br /> [1274934.746891] PSW: 00001000000001001111111000001110 Not tainted<br /> [1274934.746891] r00-03 000000ff0804fe0e 0000000040bc9bc0 00000000406760e4 0000004140000000<br /> [1274934.746891] r04-07 0000000040b693c0 0000004140000000 000000004a2b08b0 0000000000000001<br /> [1274934.746891] r08-11 0000000041f98810 0000000000000000 000000004a0a7000 0000000000000001<br /> [1274934.746891] r12-15 0000000040bddbc0 0000000040c0cbc0 0000000040bddbc0 0000000040bddbc0<br /> [1274934.746891] r16-19 0000000040bde3c0 0000000040bddbc0 0000000040bde3c0 0000000000000007<br /> [1274934.746891] r20-23 0000000000000006 000000004a368950 0000000000000000 0000000000000001<br /> [1274934.746891] r24-27 0000000000001fff 000000000800000e 000000004a1710f0 0000000040b693c0<br /> [1274934.746891] r28-31 0000000000000001 0000000041f988b0 0000000041f98840 000000004a171118<br /> [1274934.746891] sr00-03 00000000066e5800 0000000000000000 0000000000000000 00000000066e5800<br /> [1274934.746891] sr04-07 0000000000000000 0000000000000000 0000000000000000 0000000000000000<br /> [1274934.746891]<br /> [1274934.746891] IASQ: 0000000000000000 0000000000000000 IAOQ: 00000000406760e8 00000000406760ec<br /> [1274934.746891] IIR: 48780030 ISR: 0000000000000000 IOR: 0000004140000018<br /> [1274934.746891] CPU: 3 CR30: 00000040e3a9c000 CR31: ffffffffffffffff<br /> [1274934.746891] ORIG_R28: 0000000040acdd58<br /> [1274934.746891] IAOQ[0]: sba_unmap_sg+0xb0/0x118<br /> [1274934.746891] IAOQ[1]: sba_unmap_sg+0xb4/0x118<br /> [1274934.746891] RP(r2): sba_unmap_sg+0xac/0x118<br /> [1274934.746891] Backtrace:<br /> [1274934.746891] [] dma_unmap_sg_attrs+0x6c/0x70<br /> [1274934.746891] [] scsi_dma_unmap+0x54/0x60<br /> [1274934.746891] [] mptscsih_io_done+0x150/0xd70<br /> [1274934.746891] [] mpt_interrupt+0x168/0xa68<br /> [1274934.746891] [] __handle_irq_event_percpu+0xc8/0x278<br /> [1274934.746891] [] handle_irq_event_percpu+0x3c/0xd8<br /> [1274934.746891] [] handle_percpu_irq+0xb4/0xf0<br /> [1274934.746891] [] generic_handle_irq+0x50/0x70<br /> [1274934.746891] [] call_on_stack+0x18/0x24<br /> [1274934.746891]<br /> [1274934.746891] Kernel panic - not syncing: Bad Address (null pointer deref?)<br /> <br /> The bug is caused by overrunning the sglist and incorrectly testing<br /> sg_dma_len(sglist) before nents. Normally this doesn&amp;#39;t cause a crash,<br /> but in this case sglist crossed a page boundary. This occurs in the<br /> following code:<br /> <br /> while (sg_dma_len(sglist) &amp;&amp; nents--) {<br /> <br /> The fix is simply to test nents first and move the decrement of nents<br /> into the loop.