cve/published/2023/CVE-2023-52484.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2023-52484: iommu/arm-smmu-v3: Fix soft lockup triggered by arm_smmu_mm_invalidate_range

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 iommu/arm-smmu-v3: Fix soft lockup triggered by arm_smmu_mm_invalidate_range

 When running an SVA case, the following soft lockup is triggered:
 --------------------------------------------------------------------
 watchdog: BUG: soft lockup - CPU#244 stuck for 26s!
 pstate: 83400009 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)
 pc : arm_smmu_cmdq_issue_cmdlist+0x178/0xa50
 lr : arm_smmu_cmdq_issue_cmdlist+0x150/0xa50
 sp : ffff8000d83ef290
 x29: ffff8000d83ef290 x28: 000000003b9aca00 x27: 0000000000000000
 x26: ffff8000d83ef3c0 x25: da86c0812194a0e8 x24: 0000000000000000
 x23: 0000000000000040 x22: ffff8000d83ef340 x21: ffff0000c63980c0
 x20: 0000000000000001 x19: ffff0000c6398080 x18: 0000000000000000
 x17: 0000000000000000 x16: 0000000000000000 x15: ffff3000b4a3bbb0
 x14: ffff3000b4a30888 x13: ffff3000b4a3cf60 x12: 0000000000000000
 x11: 0000000000000000 x10: 0000000000000000 x9 : ffffc08120e4d6bc
 x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000048cfa
 x5 : 0000000000000000 x4 : 0000000000000001 x3 : 000000000000000a
 x2 : 0000000080000000 x1 : 0000000000000000 x0 : 0000000000000001
 Call trace:
  arm_smmu_cmdq_issue_cmdlist+0x178/0xa50
  __arm_smmu_tlb_inv_range+0x118/0x254
  arm_smmu_tlb_inv_range_asid+0x6c/0x130
  arm_smmu_mm_invalidate_range+0xa0/0xa4
  __mmu_notifier_invalidate_range_end+0x88/0x120
  unmap_vmas+0x194/0x1e0
  unmap_region+0xb4/0x144
  do_mas_align_munmap+0x290/0x490
  do_mas_munmap+0xbc/0x124
  __vm_munmap+0xa8/0x19c
  __arm64_sys_munmap+0x28/0x50
  invoke_syscall+0x78/0x11c
  el0_svc_common.constprop.0+0x58/0x1c0
  do_el0_svc+0x34/0x60
  el0_svc+0x2c/0xd4
  el0t_64_sync_handler+0x114/0x140
  el0t_64_sync+0x1a4/0x1a8
 --------------------------------------------------------------------

 Note that since 6.6-rc1 the arm_smmu_mm_invalidate_range above is renamed
 to "arm_smmu_mm_arch_invalidate_secondary_tlbs", yet the problem remains.

 The commit 06ff87bae8d3 ("arm64: mm: remove unused functions and variable
 protoypes") fixed a similar lockup on the CPU MMU side. Yet, it can occur
 to SMMU too, since arm_smmu_mm_arch_invalidate_secondary_tlbs() is called
 typically next to MMU tlb flush function, e.g.
 	tlb_flush_mmu_tlbonly {
 		tlb_flush {
 			__flush_tlb_range {
 				// check MAX_TLBI_OPS
 			}
 		}
 		mmu_notifier_arch_invalidate_secondary_tlbs {
 			arm_smmu_mm_arch_invalidate_secondary_tlbs {
 				// does not check MAX_TLBI_OPS
 			}
 		}
 	}

 Clone a CMDQ_MAX_TLBI_OPS from the MAX_TLBI_OPS in tlbflush.h, since in an
 SVA case SMMU uses the CPU page table, so it makes sense to align with the
 tlbflush code. Then, replace per-page TLBI commands with a single per-asid
 TLBI command, if the request size hits this threshold.

 The Linux kernel CVE team has assigned CVE-2023-52484 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 5.15.134 with commit f5a604757aa8e37ea9c7011dc9da54fa1b30f29b
 	Fixed in 6.1.56 with commit f90f4c562003ac3d3b135c5a40a5383313f27264
 	Fixed in 6.5.6 with commit 3283a1bce9bbc978059f790b84f3c10c32492429
 	Fixed in 6.6 with commit d5afb4b47e13161b3f33904d45110f9e6463bad6

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2023-52484
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3-sva.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/f5a604757aa8e37ea9c7011dc9da54fa1b30f29b
 	https://git.kernel.org/stable/c/f90f4c562003ac3d3b135c5a40a5383313f27264
 	https://git.kernel.org/stable/c/3283a1bce9bbc978059f790b84f3c10c32492429
 	https://git.kernel.org/stable/c/d5afb4b47e13161b3f33904d45110f9e6463bad6
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2023-52484: iommu/arm-smmu-v3: Fix soft lockup triggered by arm_smmu_mm_invalidate_range

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	iommu/arm-smmu-v3: Fix soft lockup triggered by arm_smmu_mm_invalidate_range

	When running an SVA case, the following soft lockup is triggered:
	--------------------------------------------------------------------
	watchdog: BUG: soft lockup - CPU#244 stuck for 26s!
	pstate: 83400009 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)
	pc : arm_smmu_cmdq_issue_cmdlist+0x178/0xa50
	lr : arm_smmu_cmdq_issue_cmdlist+0x150/0xa50
	sp : ffff8000d83ef290
	x29: ffff8000d83ef290 x28: 000000003b9aca00 x27: 0000000000000000
	x26: ffff8000d83ef3c0 x25: da86c0812194a0e8 x24: 0000000000000000
	x23: 0000000000000040 x22: ffff8000d83ef340 x21: ffff0000c63980c0
	x20: 0000000000000001 x19: ffff0000c6398080 x18: 0000000000000000
	x17: 0000000000000000 x16: 0000000000000000 x15: ffff3000b4a3bbb0
	x14: ffff3000b4a30888 x13: ffff3000b4a3cf60 x12: 0000000000000000
	x11: 0000000000000000 x10: 0000000000000000 x9 : ffffc08120e4d6bc
	x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000048cfa
	x5 : 0000000000000000 x4 : 0000000000000001 x3 : 000000000000000a
	x2 : 0000000080000000 x1 : 0000000000000000 x0 : 0000000000000001
	Call trace:
	arm_smmu_cmdq_issue_cmdlist+0x178/0xa50
	__arm_smmu_tlb_inv_range+0x118/0x254
	arm_smmu_tlb_inv_range_asid+0x6c/0x130
	arm_smmu_mm_invalidate_range+0xa0/0xa4
	__mmu_notifier_invalidate_range_end+0x88/0x120
	unmap_vmas+0x194/0x1e0
	unmap_region+0xb4/0x144
	do_mas_align_munmap+0x290/0x490
	do_mas_munmap+0xbc/0x124
	__vm_munmap+0xa8/0x19c
	__arm64_sys_munmap+0x28/0x50
	invoke_syscall+0x78/0x11c
	el0_svc_common.constprop.0+0x58/0x1c0
	do_el0_svc+0x34/0x60
	el0_svc+0x2c/0xd4
	el0t_64_sync_handler+0x114/0x140
	el0t_64_sync+0x1a4/0x1a8
	--------------------------------------------------------------------

	Note that since 6.6-rc1 the arm_smmu_mm_invalidate_range above is renamed
	to "arm_smmu_mm_arch_invalidate_secondary_tlbs", yet the problem remains.

	The commit 06ff87bae8d3 ("arm64: mm: remove unused functions and variable
	protoypes") fixed a similar lockup on the CPU MMU side. Yet, it can occur
	to SMMU too, since arm_smmu_mm_arch_invalidate_secondary_tlbs() is called
	typically next to MMU tlb flush function, e.g.
	tlb_flush_mmu_tlbonly {
	tlb_flush {
	__flush_tlb_range {
	// check MAX_TLBI_OPS
	}
	}
	mmu_notifier_arch_invalidate_secondary_tlbs {
	arm_smmu_mm_arch_invalidate_secondary_tlbs {
	// does not check MAX_TLBI_OPS
	}
	}
	}

	Clone a CMDQ_MAX_TLBI_OPS from the MAX_TLBI_OPS in tlbflush.h, since in an
	SVA case SMMU uses the CPU page table, so it makes sense to align with the
	tlbflush code. Then, replace per-page TLBI commands with a single per-asid
	TLBI command, if the request size hits this threshold.

	The Linux kernel CVE team has assigned CVE-2023-52484 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 5.15.134 with commit f5a604757aa8e37ea9c7011dc9da54fa1b30f29b
	Fixed in 6.1.56 with commit f90f4c562003ac3d3b135c5a40a5383313f27264
	Fixed in 6.5.6 with commit 3283a1bce9bbc978059f790b84f3c10c32492429
	Fixed in 6.6 with commit d5afb4b47e13161b3f33904d45110f9e6463bad6

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-52484
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3-sva.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/f5a604757aa8e37ea9c7011dc9da54fa1b30f29b
	https://git.kernel.org/stable/c/f90f4c562003ac3d3b135c5a40a5383313f27264
	https://git.kernel.org/stable/c/3283a1bce9bbc978059f790b84f3c10c32492429
	https://git.kernel.org/stable/c/d5afb4b47e13161b3f33904d45110f9e6463bad6