CVE CyberSecurity Database News

CVE-2025-22012 - Linux Kernel SDM845/850 SMMU Pagetable Walker Vulnerability (Explained)

Poster -

CVE-2025-22012 is a recent security vulnerability found in the Linux kernel, specifically affecting ARM64 devices utilizing Qualcomm SDM845/850 SoCs. Devices running these chips—ranging from high-end development boards like the Dragonboard 845c to popular laptops such as the Lenovo Yoga C630—were susceptible to system lock-ups and unexpected resets due to cache coherency issues in the IOMMU’s pagetable walker.

This post breaks down what the vulnerability is, why it happened, how it impacts devices, and the exact Linux kernel code change involved. If you work with Linux on ARM hardware, read on for everything you need to know—including how to spot and help mitigate this issue.

What’s the Problem?

At its core, this is about the way some Qualcomm SDM845/850 devices handle memory management for connected hardware through the SMMU (System Memory Management Unit). A change added to the Linux device tree for these chips enabled a feature called IDR.CCTW on the Application SMMU (apps_smmu). It turns out, this change wasn’t safe across all devices: it resulted in sporadic system freezes and unexpected reboots.

Why Did This Happen?

The problem is a mismatch between hardware support and firmware/software assumptions. Some models—thanks to newer firmware (“hypervisor stack”)—handle this feature correctly. Devices with firmware that predates this specific fix would crash or reset when the feature is switched on. In other words: enabling the feature wasn’t always safe.

Commit 6b31a9744b8726c69bbaf290f8475a368a4b805

Feature was enabled, hoping to improve performance/cache coherency.

The Vulnerable Code

Here’s the problematic code and how it was rolled back. The device tree *before* the revert looked roughly like this:

apps_smmu: iommu@15000000 {
    compatible = "qcom,sdm845-smmu-v2";
    ...
    qcom,affirm-idr-cctw;
    ...
};

That qcom,affirm-idr-cctw; line enforced a certain cache tunneling feature (CCTW). With the revert, it gets deleted—removing the feature toggle:

apps_smmu: iommu@15000000 {
    compatible = "qcom,sdm845-smmu-v2";
    ...
    // qcom,affirm-idr-cctw;   <-- Line removed
    ...
};

The revert was committed as

commit 7cfebf1b167d9e5eba49ad8004ae280d1606b3c
Author: Konrad Dybcio <konrad.dybcio@linaro.org>
Date:   2024-05-07

    arm64: dts: qcom: sdm845: Revert "Affirm IDR.CCTW on apps_smmu"

    ...

    This reverts commit 6b31a9744b8726c69bbaf290f8475a368a4b805.

See the kernel.org patch for details.

Exploit Details

This vulnerability isn’t your classic code-execution bug. Instead, it’s a reliability—and potential denial of service—risk:

- Attack vector: Local or remote (if an attacker can cause device operation that triggers the SMMU bug, e.g., heavy I/O, GPU load, etc.)

Risk: Data loss if work isn’t saved during a crash.

An attacker might not be able to run arbitrary code, but crashing your device—even remotely via a crafted input, app, or workload—can still be dangerous (especially for critical systems).

You experience random freezes or resets, especially under heavy load

*Note: Not all devices are affected, but if you run Linux on Lenovo Yoga C630 or similarly shipped SDM845-based products, watch out.*

How To Fix

- Update your Linux kernel to the latest stable version that includes the revert (any build after May 2024, check with your distribution).
- Check device tree changes: make sure custom kernels do not set qcom,affirm-idr-cctw; for SDM845/850.
- Firmware Update: If available, OEM firmware updates may help, but kernel fix is the main solution.

---

References

- Original Patch Revert Discussion (LKML)
- Upstream Kernel Patch
- Lenovo Yoga C630 Linux Support Thread
- Dragonboard 845c Support Portal

Conclusion

CVE-2025-22012 shows how subtle hardware/firmware interactions can cause big problems when shared ARM platforms power so many different devices. If you’re running Linux on SDM845/850 hardware, check your kernel version, watch for updates, and know that sometimes, "new feature flicks", especially in device trees, aren’t always safe!

If you maintain a custom kernel or ROM for ARM laptops or boards, make sure to revert this single line for ultimate stability—at least until all firmware stacks are up to date.

*Stay safe and keep those patches coming!*

For any questions or contributions, join the linux-arm mailing list or contribute to device-specific projects on GitHub!


*Post exclusively for the AI community, June 2024*

Timeline

Published on: 04/08/2025 09:15:25 UTC
Last modified on: 04/10/2025 13:10:36 UTC