CVE-2024-35818: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: LoongArch: Define the __io_aw() hook as mmiowb() Commit fb24ea52f78e0d595852e ("drivers: Remove explicit invocations of mmiowb()") remove all mmiowb() in drivers, but it says: "NOTE: mmiowb() has only ever guaranteed ordering in conjunction with spin_unlock(). However, pairing each mmiowb() removal in this patch with the corresponding call to spin_unlock() is not at all trivial, so there is a small chance that this change may regress any drivers incorrectly relying on mmiowb() to order MMIO writes between CPUs using lock-free synchronisation." The mmio in radeon_ring_commit() is protected by a mutex rather than a spinlock, but in the mutex fastpath it behaves similar to spinlock. We can add mmiowb() calls in the radeon driver but the maintainer says he doesn't like such a workaround, and radeon is not the only example of mutex protected mmio. So we should extend the mmiowb tracking system from spinlock to mutex, and maybe other locking primitives. This is not easy and error prone, so we solve it in the architectural code, by simply defining the __io_aw() hook as mmiowb(). And we no longer need to override queued_spin_unlock() so use the generic definition. Without this, we get such an error when run 'glxgears' on weak ordering architectures such as LoongArch: radeon 0000:04:00.0: ring 0 stalled for more than 10324msec radeon 0000:04:00.0: ring 3 stalled for more than 10240msec radeon 0000:04:00.0: GPU lockup (current fence id 0x000000000001f412 last fence id 0x000000000001f414 on ring 3) radeon 0000:04:00.0: GPU lockup (current fence id 0x000000000000f940 last fence id 0x000000000000f941 on ring 0) radeon 0000:04:00.0: scheduling IB failed (-35). [drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35) radeon 0000:04:00.0: scheduling IB failed (-35). [drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35) radeon 0000:04:00.0: scheduling IB failed (-35). [drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35) radeon 0000:04:00.0: scheduling IB failed (-35). [drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35) radeon 0000:04:00.0: scheduling IB failed (-35). [drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35) radeon 0000:04:00.0: scheduling IB failed (-35). [drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35) radeon 0000:04:00.0: scheduling IB failed (-35). [drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35)
AI Analysis
Technical Summary
CVE-2024-35818 addresses a subtle but critical vulnerability in the Linux kernel related to memory-mapped I/O (MMIO) write ordering on weakly ordered architectures, specifically LoongArch. The vulnerability arises from the removal of explicit calls to the mmiowb() function, which guarantees ordering of MMIO writes when used in conjunction with spin_unlock(). The patch fb24ea52f78e0d595852e removed all explicit mmiowb() calls in drivers, but the Linux kernel developers noted that mmiowb() only guarantees ordering when paired with spin_unlock(), and extending this guarantee to other locking primitives like mutexes is non-trivial and error-prone. In particular, the radeon graphics driver uses mutexes to protect MMIO operations, but mutexes do not inherently provide the same memory ordering guarantees as spinlocks. Without proper ordering, MMIO writes may be reordered on weakly ordered architectures such as LoongArch, leading to GPU lockups and failures in graphics operations, as demonstrated by errors during the execution of 'glxgears'. The errors include stalled GPU rings and scheduling failures, indicating that the GPU command submission pipeline is disrupted. The fix implemented involves defining the __io_aw() hook as mmiowb() at the architectural level, ensuring that MMIO write ordering is enforced regardless of the locking primitive used. This architectural solution avoids the complexity and risk of patching individual drivers and locking mechanisms. The vulnerability highlights the challenges of maintaining correct memory ordering semantics across diverse CPU architectures and synchronization primitives in the Linux kernel. No known exploits are reported in the wild, and the issue primarily affects systems running Linux kernels with the affected commit versions on weakly ordered architectures like LoongArch, especially when using drivers such as radeon that perform MMIO operations protected by mutexes rather than spinlocks.
Potential Impact
For European organizations, this vulnerability could lead to system instability and denial of service conditions on Linux systems running on weakly ordered architectures such as LoongArch, which are less common but may be used in specialized or emerging computing environments. The primary impact is on the availability of systems relying on affected drivers like radeon for GPU operations, potentially causing GPU lockups and rendering graphical applications unusable. This can disrupt workflows in sectors relying on Linux-based graphical computing, including scientific research, media production, and industrial control systems. While confidentiality and integrity impacts are minimal since this is not a direct code execution or privilege escalation vulnerability, the availability impact can be significant in environments where GPU functionality is critical. European organizations deploying Linux on LoongArch or similar architectures should be aware of potential system hangs or degraded performance. Additionally, the architectural fix may influence kernel stability and driver behavior, necessitating thorough testing before deployment in production environments.
Mitigation Recommendations
1. Apply the official Linux kernel patches that define the __io_aw() hook as mmiowb() at the architecture level to ensure proper MMIO write ordering across all locking primitives. 2. For organizations using the radeon driver or similar drivers with mutex-protected MMIO, validate that the kernel version includes this fix to prevent GPU lockups. 3. Conduct comprehensive testing of graphical workloads, especially on weakly ordered architectures like LoongArch, after applying kernel updates to detect any residual issues. 4. Monitor system logs for GPU-related errors such as 'ring stalled' or 'scheduling IB failed' messages to identify potential symptoms of this issue. 5. Where possible, consider architectural choices and driver configurations that avoid reliance on mutexes for MMIO operations or ensure that memory barriers are correctly implemented. 6. Engage with Linux kernel maintainers and driver developers to stay informed about further refinements or backports of this fix to stable kernel branches. 7. For critical systems, implement fallback or redundancy mechanisms to mitigate the impact of potential GPU lockups on availability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Finland, Sweden
CVE-2024-35818: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: LoongArch: Define the __io_aw() hook as mmiowb() Commit fb24ea52f78e0d595852e ("drivers: Remove explicit invocations of mmiowb()") remove all mmiowb() in drivers, but it says: "NOTE: mmiowb() has only ever guaranteed ordering in conjunction with spin_unlock(). However, pairing each mmiowb() removal in this patch with the corresponding call to spin_unlock() is not at all trivial, so there is a small chance that this change may regress any drivers incorrectly relying on mmiowb() to order MMIO writes between CPUs using lock-free synchronisation." The mmio in radeon_ring_commit() is protected by a mutex rather than a spinlock, but in the mutex fastpath it behaves similar to spinlock. We can add mmiowb() calls in the radeon driver but the maintainer says he doesn't like such a workaround, and radeon is not the only example of mutex protected mmio. So we should extend the mmiowb tracking system from spinlock to mutex, and maybe other locking primitives. This is not easy and error prone, so we solve it in the architectural code, by simply defining the __io_aw() hook as mmiowb(). And we no longer need to override queued_spin_unlock() so use the generic definition. Without this, we get such an error when run 'glxgears' on weak ordering architectures such as LoongArch: radeon 0000:04:00.0: ring 0 stalled for more than 10324msec radeon 0000:04:00.0: ring 3 stalled for more than 10240msec radeon 0000:04:00.0: GPU lockup (current fence id 0x000000000001f412 last fence id 0x000000000001f414 on ring 3) radeon 0000:04:00.0: GPU lockup (current fence id 0x000000000000f940 last fence id 0x000000000000f941 on ring 0) radeon 0000:04:00.0: scheduling IB failed (-35). [drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35) radeon 0000:04:00.0: scheduling IB failed (-35). [drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35) radeon 0000:04:00.0: scheduling IB failed (-35). [drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35) radeon 0000:04:00.0: scheduling IB failed (-35). [drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35) radeon 0000:04:00.0: scheduling IB failed (-35). [drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35) radeon 0000:04:00.0: scheduling IB failed (-35). [drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35) radeon 0000:04:00.0: scheduling IB failed (-35). [drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35)
AI-Powered Analysis
Technical Analysis
CVE-2024-35818 addresses a subtle but critical vulnerability in the Linux kernel related to memory-mapped I/O (MMIO) write ordering on weakly ordered architectures, specifically LoongArch. The vulnerability arises from the removal of explicit calls to the mmiowb() function, which guarantees ordering of MMIO writes when used in conjunction with spin_unlock(). The patch fb24ea52f78e0d595852e removed all explicit mmiowb() calls in drivers, but the Linux kernel developers noted that mmiowb() only guarantees ordering when paired with spin_unlock(), and extending this guarantee to other locking primitives like mutexes is non-trivial and error-prone. In particular, the radeon graphics driver uses mutexes to protect MMIO operations, but mutexes do not inherently provide the same memory ordering guarantees as spinlocks. Without proper ordering, MMIO writes may be reordered on weakly ordered architectures such as LoongArch, leading to GPU lockups and failures in graphics operations, as demonstrated by errors during the execution of 'glxgears'. The errors include stalled GPU rings and scheduling failures, indicating that the GPU command submission pipeline is disrupted. The fix implemented involves defining the __io_aw() hook as mmiowb() at the architectural level, ensuring that MMIO write ordering is enforced regardless of the locking primitive used. This architectural solution avoids the complexity and risk of patching individual drivers and locking mechanisms. The vulnerability highlights the challenges of maintaining correct memory ordering semantics across diverse CPU architectures and synchronization primitives in the Linux kernel. No known exploits are reported in the wild, and the issue primarily affects systems running Linux kernels with the affected commit versions on weakly ordered architectures like LoongArch, especially when using drivers such as radeon that perform MMIO operations protected by mutexes rather than spinlocks.
Potential Impact
For European organizations, this vulnerability could lead to system instability and denial of service conditions on Linux systems running on weakly ordered architectures such as LoongArch, which are less common but may be used in specialized or emerging computing environments. The primary impact is on the availability of systems relying on affected drivers like radeon for GPU operations, potentially causing GPU lockups and rendering graphical applications unusable. This can disrupt workflows in sectors relying on Linux-based graphical computing, including scientific research, media production, and industrial control systems. While confidentiality and integrity impacts are minimal since this is not a direct code execution or privilege escalation vulnerability, the availability impact can be significant in environments where GPU functionality is critical. European organizations deploying Linux on LoongArch or similar architectures should be aware of potential system hangs or degraded performance. Additionally, the architectural fix may influence kernel stability and driver behavior, necessitating thorough testing before deployment in production environments.
Mitigation Recommendations
1. Apply the official Linux kernel patches that define the __io_aw() hook as mmiowb() at the architecture level to ensure proper MMIO write ordering across all locking primitives. 2. For organizations using the radeon driver or similar drivers with mutex-protected MMIO, validate that the kernel version includes this fix to prevent GPU lockups. 3. Conduct comprehensive testing of graphical workloads, especially on weakly ordered architectures like LoongArch, after applying kernel updates to detect any residual issues. 4. Monitor system logs for GPU-related errors such as 'ring stalled' or 'scheduling IB failed' messages to identify potential symptoms of this issue. 5. Where possible, consider architectural choices and driver configurations that avoid reliance on mutexes for MMIO operations or ensure that memory barriers are correctly implemented. 6. Engage with Linux kernel maintainers and driver developers to stay informed about further refinements or backports of this fix to stable kernel branches. 7. For critical systems, implement fallback or redundancy mechanisms to mitigate the impact of potential GPU lockups on availability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-17T12:19:12.343Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982ac4522896dcbe3567
Added to database: 5/21/2025, 9:08:58 AM
Last enriched: 6/29/2025, 4:11:49 PM
Last updated: 7/28/2025, 7:32:35 AM
Views: 14
Related Threats
CVE-2025-22834: CWE-665 Improper Initialization in AMI AptioV
MediumCVE-2025-22830: CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') in AMI AptioV
HighCVE-2025-43735: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Liferay Portal
MediumCVE-2025-40770: CWE-300: Channel Accessible by Non-Endpoint in Siemens SINEC Traffic Analyzer
HighCVE-2025-40769: CWE-1164: Irrelevant Code in Siemens SINEC Traffic Analyzer
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.