Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-52484— iommu/arm-smmu-v3: Fix soft lockup triggered by arm_smmu_mm_invalidate_range

EPSS 0.01% · P2
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2023-52484

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
iommu/arm-smmu-v3: Fix soft lockup triggered by arm_smmu_mm_invalidate_range
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: iommu/arm-smmu-v3: Fix soft lockup triggered by arm_smmu_mm_invalidate_range When running an SVA case, the following soft lockup is triggered: -------------------------------------------------------------------- watchdog: BUG: soft lockup - CPU#244 stuck for 26s! pstate: 83400009 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--) pc : arm_smmu_cmdq_issue_cmdlist+0x178/0xa50 lr : arm_smmu_cmdq_issue_cmdlist+0x150/0xa50 sp : ffff8000d83ef290 x29: ffff8000d83ef290 x28: 000000003b9aca00 x27: 0000000000000000 x26: ffff8000d83ef3c0 x25: da86c0812194a0e8 x24: 0000000000000000 x23: 0000000000000040 x22: ffff8000d83ef340 x21: ffff0000c63980c0 x20: 0000000000000001 x19: ffff0000c6398080 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: ffff3000b4a3bbb0 x14: ffff3000b4a30888 x13: ffff3000b4a3cf60 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : ffffc08120e4d6bc x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000048cfa x5 : 0000000000000000 x4 : 0000000000000001 x3 : 000000000000000a x2 : 0000000080000000 x1 : 0000000000000000 x0 : 0000000000000001 Call trace: arm_smmu_cmdq_issue_cmdlist+0x178/0xa50 __arm_smmu_tlb_inv_range+0x118/0x254 arm_smmu_tlb_inv_range_asid+0x6c/0x130 arm_smmu_mm_invalidate_range+0xa0/0xa4 __mmu_notifier_invalidate_range_end+0x88/0x120 unmap_vmas+0x194/0x1e0 unmap_region+0xb4/0x144 do_mas_align_munmap+0x290/0x490 do_mas_munmap+0xbc/0x124 __vm_munmap+0xa8/0x19c __arm64_sys_munmap+0x28/0x50 invoke_syscall+0x78/0x11c el0_svc_common.constprop.0+0x58/0x1c0 do_el0_svc+0x34/0x60 el0_svc+0x2c/0xd4 el0t_64_sync_handler+0x114/0x140 el0t_64_sync+0x1a4/0x1a8 -------------------------------------------------------------------- Note that since 6.6-rc1 the arm_smmu_mm_invalidate_range above is renamed to "arm_smmu_mm_arch_invalidate_secondary_tlbs", yet the problem remains. The commit 06ff87bae8d3 ("arm64: mm: remove unused functions and variable protoypes") fixed a similar lockup on the CPU MMU side. Yet, it can occur to SMMU too, since arm_smmu_mm_arch_invalidate_secondary_tlbs() is called typically next to MMU tlb flush function, e.g. tlb_flush_mmu_tlbonly { tlb_flush { __flush_tlb_range { // check MAX_TLBI_OPS } } mmu_notifier_arch_invalidate_secondary_tlbs { arm_smmu_mm_arch_invalidate_secondary_tlbs { // does not check MAX_TLBI_OPS } } } Clone a CMDQ_MAX_TLBI_OPS from the MAX_TLBI_OPS in tlbflush.h, since in an SVA case SMMU uses the CPU page table, so it makes sense to align with the tlbflush code. Then, replace per-page TLBI commands with a single per-asid TLBI command, if the request size hits this threshold.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel 存在安全漏洞,该漏洞源于内核线程使用和不释放 CPU 的时间超过规定时间。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux 51d113c3be09ff5b916576b1109daf413549cacc ~ f5a604757aa8e37ea9c7011dc9da54fa1b30f29b -
LinuxLinux 5.12 -

II. Public POCs for CVE-2023-52484

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2023-52484

登录查看更多情报信息。

Same Patch Batch · Linux · 2024-02-29 · 53 CVEs total

CVE-2021-47020soundwire: stream: fix memory leak in stream config error path
CVE-2021-47068net/nfc: fix use-after-free llcp_sock_bind/connect
CVE-2021-47067soc/tegra: regulators: Fix locking up when voltage-spread is out of range
CVE-2021-47062KVM: SVM: Use online_vcpus, not created_vcpus, to iterate over vCPUs
CVE-2021-47065rtw88: Fix array overrun in rtw_get_tx_power_params()
CVE-2021-47064mt76: fix potential DMA mapping leak
CVE-2021-47063drm: bridge/panel: Cleanup connector on bridge detach
CVE-2021-47066async_xor: increase src_offs when dropping destination page
CVE-2021-47055mtd: require write permissions for locking and badblock ioctls
CVE-2021-47054bus: qcom: Put child node before return
CVE-2021-47056crypto: qat - ADF_STATUS_PF_RUNNING should be set after adf_dev_init
CVE-2021-47016m68k: mvme147,mvme16x: Don't wipe PCC timer config bits
CVE-2021-46959spi: Fix use-after-free with devm_spi_alloc_*
CVE-2024-26620s390/vfio-ap: always filter entire AP matrix
CVE-2024-26619riscv: Fix module loading free order
CVE-2024-26618arm64/sme: Always exit sme_alloc() early with existing storage
CVE-2024-26617fs/proc/task_mmu: move mmu notification mechanism inside mm lock
CVE-2024-26616btrfs: scrub: avoid use-after-free when chunk length is not 64K aligned
CVE-2024-26615net/smc: fix illegal rmb_desc access in SMC-D connection dump
CVE-2024-26614tcp: make sure init the accept_queue's spinlocks once

Showing top 20 of 53 CVEs. View all on vendor page → →

IV. Related Vulnerabilities

Same product: Linux
Same vendor: Linux

V. Comments for CVE-2023-52484

No comments yet

Leave a comment