In the Linux kernel, the following vulnerability has been resolved:
swiotlb: fix out-of-bounds TLB allocations with CONFIGSWIOTLBDYNAMIC
Limit the free list length to the size of the IO TLB. Transient pool can be smaller than IOTLBSEGSIZE, but the free list is initialized with the assumption that the total number of slots is a multiple of IOTLBSEGSIZE. As a result, swiotlbareafind_slots() may allocate slots past the end of a transient IO TLB buffer.