CVE-2022-48895

In the Linux kernel, the following vulnerability has been resolved:

iommu/arm-smmu: Don't unregister on shutdown

Michael Walle says he noticed the following stack trace while performing a shutdown with "reboot -f". He suggests he got "lucky" and just hit the correct spot for the reboot while there was a packet transmission in flight.

Unable to handle kernel NULL pointer dereference at virtual address 0000000000000098 CPU: 0 PID: 23 Comm: kworker/0:1 Not tainted 6.1.0-rc5-00088-gf3600ff8e322 #1930 Hardware name: Kontron KBox A-230-LS (DT) pc : iommugetdmadomain+0x14/0x20 lr : iommudmamappage+0x9c/0x254 Call trace: iommugetdmadomain+0x14/0x20 dmamappageattrs+0x1ec/0x250 enetcstartxmit+0x14c/0x10b0 enetcxmit+0x60/0xdc devhardstartxmit+0xb8/0x210 schdirectxmit+0x11c/0x420 _devqueuexmit+0x354/0xb20 ip6finishoutput2+0x280/0x5b0 _ip6finishoutput+0x15c/0x270 ip6output+0x78/0x15c NFHOOK.constprop.0+0x50/0xd0 mldsendpack+0x1bc/0x320 mldifcwork+0x1d8/0x4dc processonework+0x1e8/0x460 workerthread+0x178/0x534 kthread+0xe0/0xe4 retfromfork+0x10/0x20 Code: d503201f f9416800 d503233f d50323bf (f9404c00) ---[ end trace 0000000000000000 ]--- Kernel panic - not syncing: Oops: Fatal exception in interrupt

This appears to be reproducible when the board has a fixed IP address, is ping flooded from another host, and "reboot -f" is used.

The following is one more manifestation of the issue:

$ reboot -f kvm: exiting hardware virtualization cfg80211: failed to load regulatory.db arm-smmu 5000000.iommu: disabling translation sdhci-esdhc 2140000.mmc: Removing from iommu group 11 sdhci-esdhc 2150000.mmc: Removing from iommu group 12 fsl-edma 22c0000.dma-controller: Removing from iommu group 17 dwc3 3100000.usb: Removing from iommu group 9 dwc3 3110000.usb: Removing from iommu group 10 ahci-qoriq 3200000.sata: Removing from iommu group 2 fsl-qdma 8380000.dma-controller: Removing from iommu group 20 platform f080000.display: Removing from iommu group 0 etnaviv-gpu f0c0000.gpu: Removing from iommu group 1 etnaviv etnaviv: Removing from iommu group 1 caamjr 8010000.jr: Removing from iommu group 13 caamjr 8020000.jr: Removing from iommu group 14 caamjr 8030000.jr: Removing from iommu group 15 caamjr 8040000.jr: Removing from iommu group 16 fslenetc 0000:00:00.0: Removing from iommu group 4 arm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with "arm-smmu.disablebypass=0" to allow, but this may have security implications arm-smmu 5000000.iommu: GFSR 0x80000002, GFSYNR0 0x00000002, GFSYNR1 0x00000429, GFSYNR2 0x00000000 fslenetc 0000:00:00.1: Removing from iommu group 5 arm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with "arm-smmu.disablebypass=0" to allow, but this may have security implications arm-smmu 5000000.iommu: GFSR 0x80000002, GFSYNR0 0x00000002, GFSYNR1 0x00000429, GFSYNR2 0x00000000 arm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with "arm-smmu.disablebypass=0" to allow, but this may have security implications arm-smmu 5000000.iommu: GFSR 0x80000002, GFSYNR0 0x00000000, GFSYNR1 0x00000429, GFSYNR2 0x00000000 fslenetc 0000:00:00.2: Removing from iommu group 6 fslenetcmdio 0000:00:00.3: Removing from iommu group 8 msccfelix 0000:00:00.5: Removing from iommu group 3 fslenetc 0000:00:00.6: Removing from iommu group 7 pcieport 0001:00:00.0: Removing from iommu group 18 arm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with "arm-smmu.disablebypass=0" to allow, but this may have security implications arm-smmu 5000000.iommu: GFSR 0x00000002, GFSYNR0 0x00000000, GFSYNR1 0x00000429, GFSYNR2 0x00000000 pcieport 0002:00:00.0: Removing from iommu group 19 Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a8 pc : iommugetdmadomain+0x14/0x20 lr : iommudmaunmappage+0x38/0xe0 Call trace: iommugetdmadomain+0x14/0x20 dmaunmappage_attrs+0x38/0x1d0 en ---truncated---