CISA-2024-56568
Reported by Linux · Published December 27, 2024
In the Linux kernel, the following vulnerability has been resolved: iommu/arm-smmu: Defer probe of clients after smmu device bound Null pointer dereference occurs due to a race between smmu driver probe and client driver probe, when of_dma_configure() for client is called after the iommu_device_register() for smmu driver probe has executed but before the driver_bound() for smmu driver has been called. Following is how the race occurs: T1:Smmu device probe T2: Client device probe really_probe() arm_smmu_device_probe() iommu_device_register() really_probe() platform_dma_configure() of_dma_configure() of_dma_configure_id() of_iommu_configure() iommu_probe_device() iommu_init_device() arm_smmu_probe_device() arm_smmu_get_by_fwnode() driver_find_device_by_fwnode() driver_find_device() next_device() klist_next() /* null ptr assigned to smmu */ /* null ptr dereference while smmu->streamid_mask */ driver_bound() klist_add_tail() When this null smmu pointer is dereferenced later in arm_smmu_probe_device, the device crashes. Fix this by deferring the probe of the client device until the smmu device has bound to the arm smmu driver. [will: Add comment]
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Linux | Linux | 021bb8420d44cf56102d44fca9af628625e75482, 021bb8420d44cf56102d44fca9af628625e75482, 021bb8420d44cf56102d44fca9af628625e75482 |
| Linux | Linux | 4.9, 0, 5.10.231 |
| linux | linux_kernel | 4.9, 4.9, 4.9 |
| Linux | Linux | 021bb8420d44cf56102d44fca9af628625e75482, *, 021bb8420d44cf56102d44fca9af628625e75482 |
Timeline
- Dec 27, 2024 CVE Published
- Nov 3, 2025 CVE Updated