CVE-2024-44976

In the Linux kernel, the following vulnerability has been resolved:

ata: pata_macio: Fix DMA table overflow

Kolbjørn and Jonáš reported that their 32-bit PowerMacs were crashing in pata-macio since commit 09fe2bfa6b83 ("ata: patamacio: Fix maxsegmentsize with PAGESIZE == 64K").

For example:

kernel BUG at drivers/ata/patamacio.c:544! Oops: Exception in kernel mode, sig: 5 [#1] BE PAGESIZE=4K MMU=Hash SMP NRCPUS=2 DEBUGPAGEALLOC PowerMac ... NIP patamacioqcprep+0xf4/0x190 LR patamacioqcprep+0xfc/0x190 Call Trace: 0xc1421660 (unreliable) ataqcissue+0x14c/0x2d4 _atascsiqueuecmd+0x200/0x53c atascsiqueuecmd+0x50/0xe0 scsiqueuerq+0x788/0xb1c _blkmqissuedirectly+0x58/0xf4 blkmqplugissuedirect+0x8c/0x1b4 blkmqflushpluglist.part.0+0x584/0x5e0 _blkflushplug+0xf8/0x194 _submitbio+0x1b8/0x2e0 submitbionoacctnocheck+0x230/0x304 btrfsworkhelper+0x200/0x338 processonework+0x1a8/0x338 workerthread+0x364/0x4c0 kthread+0x100/0x104 startkernelthread+0x10/0x14

That commit increased maxsegmentsize to 64KB, with the justification that the SCSI core was already using that size when PAGE_SIZE == 64KB, and that there was existing logic to split over-sized requests.

However with a sufficiently large request, the splitting logic causes each sg to be split into two commands in the DMA table, leading to overflow of the DMA table, triggering the BUG_ON().

With default settings the bug doesn't trigger, because the request size is limited by maxsectorskb == 1280, however maxsectorskb can be increased, and apparently some distros do that by default using udev rules.

Fix the bug for 4KB kernels by reverting to the old maxsegmentsize.

For 64KB kernels the sg_tablesize needs to be halved, to allow for the possibility that each sg will be split into two.