CVE-2023-54060
- Source
- https://cve.org/CVERecord?id=CVE-2023-54060
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-54060.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2023-54060
- Downstream
- Related
- Published
- 2025-12-24T12:23:07.276Z
- Modified
- 2026-03-23T05:02:08.836592678Z
- Summary
- iommufd: Set end correctly when doing batch carry
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
iommufd: Set end correctly when doing batch carry
Even though the test suite covers this it somehow became obscured that this wasn't working.
The test iommufdioas.mockdomain.accessdomaindestory would blow up rarely.
end should be set to 1 because this just pushed an item, the carry, to the pfns list.
Sometimes the test would blow up with:
BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: errorcode(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] SMP CPU: 5 PID: 584 Comm: iommufd Not tainted 6.5.0-rc1-dirty #1236 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:batchunpin+0xa2/0x100 [iommufd] Code: 17 48 81 fe ff ff 07 00 77 70 48 8b 15 b7 be 97 e2 48 85 d2 74 14 48 8b 14 fa 48 85 d2 74 0b 40 0f b6 f6 48 c1 e6 04 48 01 f2 <48> 8b 3a 48 c1 e0 06 89 ca 48 89 de 48 83 e7 f0 48 01 c7 e8 96 dc RSP: 0018:ffffc90001677a58 EFLAGS: 00010246 RAX: 00007f7e2646f000 RBX: 0000000000000000 RCX: 0000000000000001 RDX: 0000000000000000 RSI: 00000000fefc4c8d RDI: 0000000000fefc4c RBP: ffffc90001677a80 R08: 0000000000000048 R09: 0000000000000200 R10: 0000000000030b98 R11: ffffffff81f3bb40 R12: 0000000000000001 R13: ffff888101f75800 R14: ffffc90001677ad0 R15: 00000000000001fe FS: 00007f9323679740(0000) GS:ffff8881ba540000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000000105ede003 CR4: 00000000003706a0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? show_regs+0x5c/0x70 ? __die+0x1f/0x60 ? pagefaultoops+0x15d/0x440 ? lockrelease+0xbc/0x240 ? excpagefault+0x4a4/0x970 ? asmexcpagefault+0x27/0x30 ? batchunpin+0xa2/0x100 [iommufd] ? batchunpin+0xba/0x100 [iommufd] __ioptareaunfill_domain+0x198/0x430 [iommufd] ? __mutex_lock+0x8c/0xb80 ? __mutexlock+0x6aa/0xb80 ? xaerase+0x28/0x30 ? iopttableremovedomain+0x162/0x320 [iommufd] ? lockrelease+0xbc/0x240 ioptareaunfilldomain+0xd/0x10 [iommufd] iopttableremovedomain+0x195/0x320 [iommufd] iommufdhwpagetabledestroy+0xb3/0x110 [iommufd] iommufdobjectdestroyuser+0x8e/0xf0 [iommufd] iommufddevicedetach+0xc5/0x140 [iommufd] iommufdselftestdestroy+0x1f/0x70 [iommufd] iommufdobjectdestroyuser+0x8e/0xf0 [iommufd] iommufddestroy+0x3a/0x50 [iommufd] iommufdfopsioctl+0xfb/0x170 [iommufd] __x64sysioctl+0x40d/0x9a0 dosyscall64+0x3c/0x80 entrySYSCALL64afterhwframe+0x46/0xb0
- Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/54xxx/CVE-2023-54060.json" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/176f36a376c417b58d19f79edfce20db9317eaa2
- https://git.kernel.org/stable/c/b7c822fa6b7701b17e139f1c562fc24135880ed4
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/54xxx/CVE-2023-54060.json
- https://nvd.nist.gov/vuln/detail/CVE-2023-54060
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedf394576eb11dbcd3a740fa41e577b97f0720d26eFixed176f36a376c417b58d19f79edfce20db9317eaa2Fixedb7c822fa6b7701b17e139f1c562fc24135880ed4