cve/published/2022/CVE-2022-49522.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49522: mmc: jz4740: Apply DMA engine limits to maximum segment size

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 mmc: jz4740: Apply DMA engine limits to maximum segment size

 Do what is done in other DMA-enabled MMC host drivers (cf. host/mmci.c) and
 limit the maximum segment size based on the DMA engine's capabilities. This
 is needed to avoid warnings like the following with CONFIG_DMA_API_DEBUG=y.

 ------------[ cut here ]------------
 WARNING: CPU: 0 PID: 21 at kernel/dma/debug.c:1162 debug_dma_map_sg+0x2f4/0x39c
 DMA-API: jz4780-dma 13420000.dma-controller: mapping sg segment longer than device claims to support [len=98304] [max=65536]
 CPU: 0 PID: 21 Comm: kworker/0:1H Not tainted 5.18.0-rc1 #19
 Workqueue: kblockd blk_mq_run_work_fn
 Stack : 81575aec 00000004 80620000 80620000 80620000 805e7358 00000009 801537ac
         814c832c 806276e3 806e34b4 80620000 81575aec 00000001 81575ab8 09291444
         00000000 00000000 805e7358 81575958 ffffffea 8157596c 00000000 636f6c62
         6220646b 80387a70 0000000f 6d5f6b6c 80620000 00000000 81575ba4 00000009
         805e170c 80896640 00000001 00010000 00000000 00000000 00006098 806e0000
         ...
 Call Trace:
 [<80107670>] show_stack+0x84/0x120
 [<80528cd8>] __warn+0xb8/0xec
 [<80528d78>] warn_slowpath_fmt+0x6c/0xb8
 [<8016f1d4>] debug_dma_map_sg+0x2f4/0x39c
 [<80169d4c>] __dma_map_sg_attrs+0xf0/0x118
 [<8016a27c>] dma_map_sg_attrs+0x14/0x28
 [<804f66b4>] jz4740_mmc_prepare_dma_data+0x74/0xa4
 [<804f6714>] jz4740_mmc_pre_request+0x30/0x54
 [<804f4ff4>] mmc_blk_mq_issue_rq+0x6e0/0x7bc
 [<804f5590>] mmc_mq_queue_rq+0x220/0x2d4
 [<8038b2c0>] blk_mq_dispatch_rq_list+0x480/0x664
 [<80391040>] blk_mq_do_dispatch_sched+0x2dc/0x370
 [<80391468>] __blk_mq_sched_dispatch_requests+0xec/0x164
 [<80391540>] blk_mq_sched_dispatch_requests+0x44/0x94
 [<80387900>] __blk_mq_run_hw_queue+0xb0/0xcc
 [<80134c14>] process_one_work+0x1b8/0x264
 [<80134ff8>] worker_thread+0x2ec/0x3b8
 [<8013b13c>] kthread+0x104/0x10c
 [<80101dcc>] ret_from_kernel_thread+0x14/0x1c

 ---[ end trace 0000000000000000 ]---

 The Linux kernel CVE team has assigned CVE-2022-49522 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 5.4.198 with commit 7923f95997a79cef2ad161a2facae64c25a0bca0
 	Fixed in 5.10.121 with commit 90281cadf5077f2d2bec8b08c2ead1f8cd12660e
 	Fixed in 5.15.46 with commit 353298cadbd4c7d8e8a16d6000066414694933c3
 	Fixed in 5.17.14 with commit 807f90f1960a59dc557542b818c484a8db9ac978
 	Fixed in 5.18.3 with commit a828920b9ec0d89d3011198d482b7fe224d2de19
 	Fixed in 5.19 with commit afadb04f1d6e74b18a253403f5274cde5e3fd7bd

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49522
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/mmc/host/jz4740_mmc.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/7923f95997a79cef2ad161a2facae64c25a0bca0
 	https://git.kernel.org/stable/c/90281cadf5077f2d2bec8b08c2ead1f8cd12660e
 	https://git.kernel.org/stable/c/353298cadbd4c7d8e8a16d6000066414694933c3
 	https://git.kernel.org/stable/c/807f90f1960a59dc557542b818c484a8db9ac978
 	https://git.kernel.org/stable/c/a828920b9ec0d89d3011198d482b7fe224d2de19
 	https://git.kernel.org/stable/c/afadb04f1d6e74b18a253403f5274cde5e3fd7bd
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49522: mmc: jz4740: Apply DMA engine limits to maximum segment size

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	mmc: jz4740: Apply DMA engine limits to maximum segment size

	Do what is done in other DMA-enabled MMC host drivers (cf. host/mmci.c) and
	limit the maximum segment size based on the DMA engine's capabilities. This
	is needed to avoid warnings like the following with CONFIG_DMA_API_DEBUG=y.

	------------[ cut here ]------------
	WARNING: CPU: 0 PID: 21 at kernel/dma/debug.c:1162 debug_dma_map_sg+0x2f4/0x39c
	DMA-API: jz4780-dma 13420000.dma-controller: mapping sg segment longer than device claims to support [len=98304] [max=65536]
	CPU: 0 PID: 21 Comm: kworker/0:1H Not tainted 5.18.0-rc1 #19
	Workqueue: kblockd blk_mq_run_work_fn
	Stack : 81575aec 00000004 80620000 80620000 80620000 805e7358 00000009 801537ac
	814c832c 806276e3 806e34b4 80620000 81575aec 00000001 81575ab8 09291444
	00000000 00000000 805e7358 81575958 ffffffea 8157596c 00000000 636f6c62
	6220646b 80387a70 0000000f 6d5f6b6c 80620000 00000000 81575ba4 00000009
	805e170c 80896640 00000001 00010000 00000000 00000000 00006098 806e0000
	...
	Call Trace:
	[<80107670>] show_stack+0x84/0x120
	[<80528cd8>] __warn+0xb8/0xec
	[<80528d78>] warn_slowpath_fmt+0x6c/0xb8
	[<8016f1d4>] debug_dma_map_sg+0x2f4/0x39c
	[<80169d4c>] __dma_map_sg_attrs+0xf0/0x118
	[<8016a27c>] dma_map_sg_attrs+0x14/0x28
	[<804f66b4>] jz4740_mmc_prepare_dma_data+0x74/0xa4
	[<804f6714>] jz4740_mmc_pre_request+0x30/0x54
	[<804f4ff4>] mmc_blk_mq_issue_rq+0x6e0/0x7bc
	[<804f5590>] mmc_mq_queue_rq+0x220/0x2d4
	[<8038b2c0>] blk_mq_dispatch_rq_list+0x480/0x664
	[<80391040>] blk_mq_do_dispatch_sched+0x2dc/0x370
	[<80391468>] __blk_mq_sched_dispatch_requests+0xec/0x164
	[<80391540>] blk_mq_sched_dispatch_requests+0x44/0x94
	[<80387900>] __blk_mq_run_hw_queue+0xb0/0xcc
	[<80134c14>] process_one_work+0x1b8/0x264
	[<80134ff8>] worker_thread+0x2ec/0x3b8
	[<8013b13c>] kthread+0x104/0x10c
	[<80101dcc>] ret_from_kernel_thread+0x14/0x1c

	---[ end trace 0000000000000000 ]---

	The Linux kernel CVE team has assigned CVE-2022-49522 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 5.4.198 with commit 7923f95997a79cef2ad161a2facae64c25a0bca0
	Fixed in 5.10.121 with commit 90281cadf5077f2d2bec8b08c2ead1f8cd12660e
	Fixed in 5.15.46 with commit 353298cadbd4c7d8e8a16d6000066414694933c3
	Fixed in 5.17.14 with commit 807f90f1960a59dc557542b818c484a8db9ac978
	Fixed in 5.18.3 with commit a828920b9ec0d89d3011198d482b7fe224d2de19
	Fixed in 5.19 with commit afadb04f1d6e74b18a253403f5274cde5e3fd7bd

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49522
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/mmc/host/jz4740_mmc.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/7923f95997a79cef2ad161a2facae64c25a0bca0
	https://git.kernel.org/stable/c/90281cadf5077f2d2bec8b08c2ead1f8cd12660e
	https://git.kernel.org/stable/c/353298cadbd4c7d8e8a16d6000066414694933c3
	https://git.kernel.org/stable/c/807f90f1960a59dc557542b818c484a8db9ac978
	https://git.kernel.org/stable/c/a828920b9ec0d89d3011198d482b7fe224d2de19
	https://git.kernel.org/stable/c/afadb04f1d6e74b18a253403f5274cde5e3fd7bd