From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B402737149 for ; Thu, 29 Feb 2024 05:44:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709185440; cv=none; b=qErji8fSksDUlU4cUnIlEP9wpjtEDA7/XO2if0oE27oTPQ5kEixMy1vUbHglChx02vrxR+y0//nc/8qyeLQx/CGBEQ7rhPgs2nUQKK0e3LJZSjn3zVCqj9Vlz7Ya1wndwqc21KlVbswCzqb77MphhcDUS0mDwoQxamNG36/cmsc= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709185440; c=relaxed/simple; bh=85VC/qBBLGxSnEaK/LViwwX7nmNgMWhNXZWVohILf7A=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=h293P64JK8wOh3p4voxKanLEVDeEptZxsgKs3n6mXrqhIPWKAWI9RbQMSlV4YHs9tbpte4t5ZrNni8tBwcV4qtD6hmkteWrod3RClWWw/WIIwdJAzYQpUvX4/y9o1PkS64sfCbDRsXdeQUJUBtj0xaj8AgKwWLkGWzE5aBVsMIE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=z1xXSYdp; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="z1xXSYdp" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 2F086C433C7; Thu, 29 Feb 2024 05:44:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1709185440; bh=85VC/qBBLGxSnEaK/LViwwX7nmNgMWhNXZWVohILf7A=; h=From:To:Cc:Subject:Date:Reply-to:From; b=z1xXSYdpVLrBPjDJ869yJ+0S+uRaktAOH32pIDv3dOBHkP6Jc0FddqCYtn76R31vt dt/LXonmn/7cNcFPrkwy5E6DXM0ldXzpnlGSAGOOxphZL/DTa/PIE01SIvmW89EmPg w3lLur981R4zEpo3TiqSXwhCL97f/xtpVjYVdHuw= From: Greg Kroah-Hartman To: linux-cve-announce@vger.kernel.org Cc: gregkh@kernel.org Subject: CVE-2023-52484: iommu/arm-smmu-v3: Fix soft lockup triggered by arm_smmu_mm_invalidate_range Date: Thu, 29 Feb 2024 06:43:27 +0100 Message-ID: <2024022923-CVE-2023-52484-3635@gregkh> X-Mailer: git-send-email 2.44.0 Precedence: bulk X-Mailing-List: linux-cve-announce@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Reply-to: , X-Developer-Signature: v=1; a=openpgp-sha256; l=4461; i=gregkh@linuxfoundation.org; h=from:subject:message-id; bh=qBL5u3bGSFlu5sIyreUM2zPNPkEVp/zC4G+lA4TRTM8=; b=owGbwMvMwCRo6H6F97bub03G02pJDKkPJKt3zb1pNnfyOuvLzeVXr0RWCe6U0xRt/33YnWG5H dOCKMPNHbEsDIJMDLJiiixftvEc3V9xSNHL0PY0zBxWJpAhDFycAjCRB/8ZFuyUNOpQiosqqbsh n/mu82vJWW+fSQwL1sqmTn1+ievuA/U4+dRP3bcqt5uaAQA= X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 Content-Transfer-Encoding: 8bit From: gregkh@kernel.org Description =========== In the Linux kernel, the following vulnerability has been resolved: iommu/arm-smmu-v3: Fix soft lockup triggered by arm_smmu_mm_invalidate_range When running an SVA case, the following soft lockup is triggered: -------------------------------------------------------------------- watchdog: BUG: soft lockup - CPU#244 stuck for 26s! pstate: 83400009 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--) pc : arm_smmu_cmdq_issue_cmdlist+0x178/0xa50 lr : arm_smmu_cmdq_issue_cmdlist+0x150/0xa50 sp : ffff8000d83ef290 x29: ffff8000d83ef290 x28: 000000003b9aca00 x27: 0000000000000000 x26: ffff8000d83ef3c0 x25: da86c0812194a0e8 x24: 0000000000000000 x23: 0000000000000040 x22: ffff8000d83ef340 x21: ffff0000c63980c0 x20: 0000000000000001 x19: ffff0000c6398080 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: ffff3000b4a3bbb0 x14: ffff3000b4a30888 x13: ffff3000b4a3cf60 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : ffffc08120e4d6bc x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000048cfa x5 : 0000000000000000 x4 : 0000000000000001 x3 : 000000000000000a x2 : 0000000080000000 x1 : 0000000000000000 x0 : 0000000000000001 Call trace: arm_smmu_cmdq_issue_cmdlist+0x178/0xa50 __arm_smmu_tlb_inv_range+0x118/0x254 arm_smmu_tlb_inv_range_asid+0x6c/0x130 arm_smmu_mm_invalidate_range+0xa0/0xa4 __mmu_notifier_invalidate_range_end+0x88/0x120 unmap_vmas+0x194/0x1e0 unmap_region+0xb4/0x144 do_mas_align_munmap+0x290/0x490 do_mas_munmap+0xbc/0x124 __vm_munmap+0xa8/0x19c __arm64_sys_munmap+0x28/0x50 invoke_syscall+0x78/0x11c el0_svc_common.constprop.0+0x58/0x1c0 do_el0_svc+0x34/0x60 el0_svc+0x2c/0xd4 el0t_64_sync_handler+0x114/0x140 el0t_64_sync+0x1a4/0x1a8 -------------------------------------------------------------------- Note that since 6.6-rc1 the arm_smmu_mm_invalidate_range above is renamed to "arm_smmu_mm_arch_invalidate_secondary_tlbs", yet the problem remains. The commit 06ff87bae8d3 ("arm64: mm: remove unused functions and variable protoypes") fixed a similar lockup on the CPU MMU side. Yet, it can occur to SMMU too, since arm_smmu_mm_arch_invalidate_secondary_tlbs() is called typically next to MMU tlb flush function, e.g. tlb_flush_mmu_tlbonly { tlb_flush { __flush_tlb_range { // check MAX_TLBI_OPS } } mmu_notifier_arch_invalidate_secondary_tlbs { arm_smmu_mm_arch_invalidate_secondary_tlbs { // does not check MAX_TLBI_OPS } } } Clone a CMDQ_MAX_TLBI_OPS from the MAX_TLBI_OPS in tlbflush.h, since in an SVA case SMMU uses the CPU page table, so it makes sense to align with the tlbflush code. Then, replace per-page TLBI commands with a single per-asid TLBI command, if the request size hits this threshold. The Linux kernel CVE team has assigned CVE-2023-52484 to this issue. Affected and fixed versions =========================== Fixed in 5.15.134 with commit f5a604757aa8 Fixed in 6.1.56 with commit f90f4c562003 Fixed in 6.5.6 with commit 3283a1bce9bb Fixed in 6.6 with commit d5afb4b47e13 Please see https://www.kernel.org or a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2023-52484 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3-sva.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/f5a604757aa8e37ea9c7011dc9da54fa1b30f29b https://git.kernel.org/stable/c/f90f4c562003ac3d3b135c5a40a5383313f27264 https://git.kernel.org/stable/c/3283a1bce9bbc978059f790b84f3c10c32492429 https://git.kernel.org/stable/c/d5afb4b47e13161b3f33904d45110f9e6463bad6