Linux Kernel IOMMU IO-Pgtable-Arm Size Signedness Bug in Unmap Path

A signedness bug has been identified in the unmapping process of the IOMMU IO-Pgtable-Arm component of the Linux kernel. The function '__arm_lpae_unmap()' was incorrectly returning a negative error code (-ENOENT) when it encountered an unmapped Page Table Entry (PTE). This negative value, when interpreted as a size_t (an unsigned type), transformed into a large positive number on 64-bit systems. This erroneous value then propagated through several functions, ultimately causing an overflow in the I/O Virtual Address (IOVA) handling, triggering a BUG_ON condition due to invalid address alignment. The issue has been fixed by ensuring '__arm_lpae_unmap()' returns 0 instead of -ENOENT, aligning the function's behavior with other IO-Pgtable implementations that return 0 on error conditions.

Impact

The vulnerability could lead to a signedness error, causing a negative value to be interpreted as a large positive number, which could then overflow the I/O Virtual Address (IOVA) handling in the unmapping process. This overflow could trigger a BUG_ON condition due to invalid address alignment, potentially causing a system crash or instability.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. The specific commit containing the fix can be downloaded as a tarball.