CVE-2023-52484: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: iommu/arm-smmu-v3: Fix soft lockup triggered by arm_smmu_mm_invalidate_range When running an SVA case, the following soft lockup is triggered: -------------------------------------------------------------------- watchdog: BUG: soft lockup - CPU#244 stuck for 26s! pstate: 83400009 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--) pc : arm_smmu_cmdq_issue_cmdlist+0x178/0xa50 lr : arm_smmu_cmdq_issue_cmdlist+0x150/0xa50 sp : ffff8000d83ef290 x29: ffff8000d83ef290 x28: 000000003b9aca00 x27: 0000000000000000 x26: ffff8000d83ef3c0 x25: da86c0812194a0e8 x24: 0000000000000000 x23: 0000000000000040 x22: ffff8000d83ef340 x21: ffff0000c63980c0 x20: 0000000000000001 x19: ffff0000c6398080 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: ffff3000b4a3bbb0 x14: ffff3000b4a30888 x13: ffff3000b4a3cf60 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : ffffc08120e4d6bc x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000048cfa x5 : 0000000000000000 x4 : 0000000000000001 x3 : 000000000000000a x2 : 0000000080000000 x1 : 0000000000000000 x0 : 0000000000000001 Call trace: arm_smmu_cmdq_issue_cmdlist+0x178/0xa50 __arm_smmu_tlb_inv_range+0x118/0x254 arm_smmu_tlb_inv_range_asid+0x6c/0x130 arm_smmu_mm_invalidate_range+0xa0/0xa4 __mmu_notifier_invalidate_range_end+0x88/0x120 unmap_vmas+0x194/0x1e0 unmap_region+0xb4/0x144 do_mas_align_munmap+0x290/0x490 do_mas_munmap+0xbc/0x124 __vm_munmap+0xa8/0x19c __arm64_sys_munmap+0x28/0x50 invoke_syscall+0x78/0x11c el0_svc_common.constprop.0+0x58/0x1c0 do_el0_svc+0x34/0x60 el0_svc+0x2c/0xd4 el0t_64_sync_handler+0x114/0x140 el0t_64_sync+0x1a4/0x1a8 -------------------------------------------------------------------- Note that since 6.6-rc1 the arm_smmu_mm_invalidate_range above is renamed to "arm_smmu_mm_arch_invalidate_secondary_tlbs", yet the problem remains. The commit 06ff87bae8d3 ("arm64: mm: remove unused functions and variable protoypes") fixed a similar lockup on the CPU MMU side. Yet, it can occur to SMMU too, since arm_smmu_mm_arch_invalidate_secondary_tlbs() is called typically next to MMU tlb flush function, e.g. tlb_flush_mmu_tlbonly { tlb_flush { __flush_tlb_range { // check MAX_TLBI_OPS } } mmu_notifier_arch_invalidate_secondary_tlbs { arm_smmu_mm_arch_invalidate_secondary_tlbs { // does not check MAX_TLBI_OPS } } } Clone a CMDQ_MAX_TLBI_OPS from the MAX_TLBI_OPS in tlbflush.h, since in an SVA case SMMU uses the CPU page table, so it makes sense to align with the tlbflush code. Then, replace per-page TLBI commands with a single per-asid TLBI command, if the request size hits this threshold.
AI Analysis
Technical Summary
CVE-2023-52484 addresses a vulnerability in the Linux kernel specifically related to the ARM System Memory Management Unit (SMMU) version 3 implementation. The vulnerability manifests as a soft lockup triggered by the function arm_smmu_mm_invalidate_range (renamed in recent kernels to arm_smmu_mm_arch_invalidate_secondary_tlbs). This function is involved in invalidating translation lookaside buffers (TLBs) for memory management. The issue arises when the SMMU issues a large number of per-page TLB invalidation commands without proper batching or threshold checks, leading to excessive CPU lockup. The lockup is observed as a watchdog bug where a CPU core becomes unresponsive for an extended period (e.g., 26 seconds), effectively causing a denial of service on that CPU core. The root cause is that the SMMU's TLB invalidation logic does not respect the maximum number of TLB invalidation operations (MAX_TLBI_OPS) as the CPU MMU code does. The fix involves cloning the CMDQ_MAX_TLBI_OPS constant from the CPU MMU code and replacing multiple per-page invalidations with a single per-address space identifier (ASID) invalidation when the number of invalidations exceeds this threshold. This change aligns the SMMU behavior with the CPU MMU's approach, preventing the soft lockup. The vulnerability affects Linux kernel versions prior to the patch and is particularly relevant for systems using ARM architecture with SMMU v3 and Shared Virtual Addressing (SVA) features. While no known exploits are reported in the wild, the issue can cause system instability or denial of service in affected environments. The vulnerability does not require user interaction or authentication to trigger if the system is running workloads that cause the SMMU to perform extensive TLB invalidations, such as virtualization or advanced memory management scenarios.
Potential Impact
For European organizations, the impact of CVE-2023-52484 can be significant in environments running ARM-based Linux systems, especially those utilizing virtualization, containerization, or advanced memory management features that rely on SMMU v3 and SVA. The soft lockup can lead to CPU core hangs, resulting in degraded system performance, application crashes, or complete denial of service on critical infrastructure. This is particularly concerning for sectors relying on ARM-based servers, embedded systems, or edge computing devices, such as telecommunications, automotive, industrial control, and cloud service providers. The instability could disrupt services, cause data processing delays, or impact real-time systems. Since the vulnerability affects kernel-level memory management, it could indirectly affect confidentiality and integrity if system crashes lead to improper handling of sensitive data or system states. However, the primary impact is on availability. European organizations deploying ARM-based Linux systems in data centers or critical infrastructure must be aware of this vulnerability to avoid unexpected outages and maintain service continuity.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2023-52484 as soon as they become available for your distribution or kernel version. Monitor vendor advisories for updated kernel releases. 2. For organizations using custom or embedded Linux kernels, backport the patch that clones CMDQ_MAX_TLBI_OPS and modifies the TLB invalidation logic in the arm_smmu driver to prevent soft lockups. 3. Test kernel updates in staging environments that replicate production workloads involving SMMU and SVA to ensure stability before deployment. 4. Monitor system logs for watchdog soft lockup messages or CPU stalls related to arm_smmu functions to detect potential exploitation or triggering of the vulnerability. 5. Limit or control workloads that cause extensive TLB invalidations on affected systems until patches are applied, such as reducing aggressive memory mapping/unmapping operations or tuning virtualization configurations. 6. Collaborate with hardware vendors to ensure firmware and platform support for updated kernel versions and SMMU behavior. 7. Maintain robust backup and recovery procedures to mitigate potential downtime caused by system instability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Norway, Italy, Spain, Poland
CVE-2023-52484: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: iommu/arm-smmu-v3: Fix soft lockup triggered by arm_smmu_mm_invalidate_range When running an SVA case, the following soft lockup is triggered: -------------------------------------------------------------------- watchdog: BUG: soft lockup - CPU#244 stuck for 26s! pstate: 83400009 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--) pc : arm_smmu_cmdq_issue_cmdlist+0x178/0xa50 lr : arm_smmu_cmdq_issue_cmdlist+0x150/0xa50 sp : ffff8000d83ef290 x29: ffff8000d83ef290 x28: 000000003b9aca00 x27: 0000000000000000 x26: ffff8000d83ef3c0 x25: da86c0812194a0e8 x24: 0000000000000000 x23: 0000000000000040 x22: ffff8000d83ef340 x21: ffff0000c63980c0 x20: 0000000000000001 x19: ffff0000c6398080 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: ffff3000b4a3bbb0 x14: ffff3000b4a30888 x13: ffff3000b4a3cf60 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : ffffc08120e4d6bc x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000048cfa x5 : 0000000000000000 x4 : 0000000000000001 x3 : 000000000000000a x2 : 0000000080000000 x1 : 0000000000000000 x0 : 0000000000000001 Call trace: arm_smmu_cmdq_issue_cmdlist+0x178/0xa50 __arm_smmu_tlb_inv_range+0x118/0x254 arm_smmu_tlb_inv_range_asid+0x6c/0x130 arm_smmu_mm_invalidate_range+0xa0/0xa4 __mmu_notifier_invalidate_range_end+0x88/0x120 unmap_vmas+0x194/0x1e0 unmap_region+0xb4/0x144 do_mas_align_munmap+0x290/0x490 do_mas_munmap+0xbc/0x124 __vm_munmap+0xa8/0x19c __arm64_sys_munmap+0x28/0x50 invoke_syscall+0x78/0x11c el0_svc_common.constprop.0+0x58/0x1c0 do_el0_svc+0x34/0x60 el0_svc+0x2c/0xd4 el0t_64_sync_handler+0x114/0x140 el0t_64_sync+0x1a4/0x1a8 -------------------------------------------------------------------- Note that since 6.6-rc1 the arm_smmu_mm_invalidate_range above is renamed to "arm_smmu_mm_arch_invalidate_secondary_tlbs", yet the problem remains. The commit 06ff87bae8d3 ("arm64: mm: remove unused functions and variable protoypes") fixed a similar lockup on the CPU MMU side. Yet, it can occur to SMMU too, since arm_smmu_mm_arch_invalidate_secondary_tlbs() is called typically next to MMU tlb flush function, e.g. tlb_flush_mmu_tlbonly { tlb_flush { __flush_tlb_range { // check MAX_TLBI_OPS } } mmu_notifier_arch_invalidate_secondary_tlbs { arm_smmu_mm_arch_invalidate_secondary_tlbs { // does not check MAX_TLBI_OPS } } } Clone a CMDQ_MAX_TLBI_OPS from the MAX_TLBI_OPS in tlbflush.h, since in an SVA case SMMU uses the CPU page table, so it makes sense to align with the tlbflush code. Then, replace per-page TLBI commands with a single per-asid TLBI command, if the request size hits this threshold.
AI-Powered Analysis
Technical Analysis
CVE-2023-52484 addresses a vulnerability in the Linux kernel specifically related to the ARM System Memory Management Unit (SMMU) version 3 implementation. The vulnerability manifests as a soft lockup triggered by the function arm_smmu_mm_invalidate_range (renamed in recent kernels to arm_smmu_mm_arch_invalidate_secondary_tlbs). This function is involved in invalidating translation lookaside buffers (TLBs) for memory management. The issue arises when the SMMU issues a large number of per-page TLB invalidation commands without proper batching or threshold checks, leading to excessive CPU lockup. The lockup is observed as a watchdog bug where a CPU core becomes unresponsive for an extended period (e.g., 26 seconds), effectively causing a denial of service on that CPU core. The root cause is that the SMMU's TLB invalidation logic does not respect the maximum number of TLB invalidation operations (MAX_TLBI_OPS) as the CPU MMU code does. The fix involves cloning the CMDQ_MAX_TLBI_OPS constant from the CPU MMU code and replacing multiple per-page invalidations with a single per-address space identifier (ASID) invalidation when the number of invalidations exceeds this threshold. This change aligns the SMMU behavior with the CPU MMU's approach, preventing the soft lockup. The vulnerability affects Linux kernel versions prior to the patch and is particularly relevant for systems using ARM architecture with SMMU v3 and Shared Virtual Addressing (SVA) features. While no known exploits are reported in the wild, the issue can cause system instability or denial of service in affected environments. The vulnerability does not require user interaction or authentication to trigger if the system is running workloads that cause the SMMU to perform extensive TLB invalidations, such as virtualization or advanced memory management scenarios.
Potential Impact
For European organizations, the impact of CVE-2023-52484 can be significant in environments running ARM-based Linux systems, especially those utilizing virtualization, containerization, or advanced memory management features that rely on SMMU v3 and SVA. The soft lockup can lead to CPU core hangs, resulting in degraded system performance, application crashes, or complete denial of service on critical infrastructure. This is particularly concerning for sectors relying on ARM-based servers, embedded systems, or edge computing devices, such as telecommunications, automotive, industrial control, and cloud service providers. The instability could disrupt services, cause data processing delays, or impact real-time systems. Since the vulnerability affects kernel-level memory management, it could indirectly affect confidentiality and integrity if system crashes lead to improper handling of sensitive data or system states. However, the primary impact is on availability. European organizations deploying ARM-based Linux systems in data centers or critical infrastructure must be aware of this vulnerability to avoid unexpected outages and maintain service continuity.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2023-52484 as soon as they become available for your distribution or kernel version. Monitor vendor advisories for updated kernel releases. 2. For organizations using custom or embedded Linux kernels, backport the patch that clones CMDQ_MAX_TLBI_OPS and modifies the TLB invalidation logic in the arm_smmu driver to prevent soft lockups. 3. Test kernel updates in staging environments that replicate production workloads involving SMMU and SVA to ensure stability before deployment. 4. Monitor system logs for watchdog soft lockup messages or CPU stalls related to arm_smmu functions to detect potential exploitation or triggering of the vulnerability. 5. Limit or control workloads that cause extensive TLB invalidations on affected systems until patches are applied, such as reducing aggressive memory mapping/unmapping operations or tuning virtualization configurations. 6. Collaborate with hardware vendors to ensure firmware and platform support for updated kernel versions and SMMU behavior. 7. Maintain robust backup and recovery procedures to mitigate potential downtime caused by system instability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-20T12:30:33.301Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9831c4522896dcbe7aef
Added to database: 5/21/2025, 9:09:05 AM
Last enriched: 7/1/2025, 9:28:40 AM
Last updated: 8/14/2025, 4:57:06 PM
Views: 12
Related Threats
CVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9088: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.