CVE-2023-52484

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iommu/arm-smmu-v3: Fix soft lockup triggered by arm_smmu_mm_invalidate_range<br /> <br /> When running an SVA case, the following soft lockup is triggered:<br /> --------------------------------------------------------------------<br /> watchdog: BUG: soft lockup - CPU#244 stuck for 26s!<br /> pstate: 83400009 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)<br /> pc : arm_smmu_cmdq_issue_cmdlist+0x178/0xa50<br /> lr : arm_smmu_cmdq_issue_cmdlist+0x150/0xa50<br /> sp : ffff8000d83ef290<br /> x29: ffff8000d83ef290 x28: 000000003b9aca00 x27: 0000000000000000<br /> x26: ffff8000d83ef3c0 x25: da86c0812194a0e8 x24: 0000000000000000<br /> x23: 0000000000000040 x22: ffff8000d83ef340 x21: ffff0000c63980c0<br /> x20: 0000000000000001 x19: ffff0000c6398080 x18: 0000000000000000<br /> x17: 0000000000000000 x16: 0000000000000000 x15: ffff3000b4a3bbb0<br /> x14: ffff3000b4a30888 x13: ffff3000b4a3cf60 x12: 0000000000000000<br /> x11: 0000000000000000 x10: 0000000000000000 x9 : ffffc08120e4d6bc<br /> x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000048cfa<br /> x5 : 0000000000000000 x4 : 0000000000000001 x3 : 000000000000000a<br /> x2 : 0000000080000000 x1 : 0000000000000000 x0 : 0000000000000001<br /> Call trace:<br /> arm_smmu_cmdq_issue_cmdlist+0x178/0xa50<br /> __arm_smmu_tlb_inv_range+0x118/0x254<br /> arm_smmu_tlb_inv_range_asid+0x6c/0x130<br /> arm_smmu_mm_invalidate_range+0xa0/0xa4<br /> __mmu_notifier_invalidate_range_end+0x88/0x120<br /> unmap_vmas+0x194/0x1e0<br /> unmap_region+0xb4/0x144<br /> do_mas_align_munmap+0x290/0x490<br /> do_mas_munmap+0xbc/0x124<br /> __vm_munmap+0xa8/0x19c<br /> __arm64_sys_munmap+0x28/0x50<br /> invoke_syscall+0x78/0x11c<br /> el0_svc_common.constprop.0+0x58/0x1c0<br /> do_el0_svc+0x34/0x60<br /> el0_svc+0x2c/0xd4<br /> el0t_64_sync_handler+0x114/0x140<br /> el0t_64_sync+0x1a4/0x1a8<br /> --------------------------------------------------------------------<br /> <br /> Note that since 6.6-rc1 the arm_smmu_mm_invalidate_range above is renamed<br /> to "arm_smmu_mm_arch_invalidate_secondary_tlbs", yet the problem remains.<br /> <br /> The commit 06ff87bae8d3 ("arm64: mm: remove unused functions and variable<br /> protoypes") fixed a similar lockup on the CPU MMU side. Yet, it can occur<br /> to SMMU too, since arm_smmu_mm_arch_invalidate_secondary_tlbs() is called<br /> typically next to MMU tlb flush function, e.g.<br /> tlb_flush_mmu_tlbonly {<br /> tlb_flush {<br /> __flush_tlb_range {<br /> // check MAX_TLBI_OPS<br /> }<br /> }<br /> mmu_notifier_arch_invalidate_secondary_tlbs {<br /> arm_smmu_mm_arch_invalidate_secondary_tlbs {<br /> // does not check MAX_TLBI_OPS<br /> }<br /> }<br /> }<br /> <br /> Clone a CMDQ_MAX_TLBI_OPS from the MAX_TLBI_OPS in tlbflush.h, since in an<br /> SVA case SMMU uses the CPU page table, so it makes sense to align with the<br /> tlbflush code. Then, replace per-page TLBI commands with a single per-asid<br /> TLBI command, if the request size hits this threshold.