CVE-2025-38594 Information

Aug 20, 2025 cve

Description

In the Linux kernel the following vulnerability has been resolved:

iommu/vt-d: Fix UAF on sva unbind with pending IOPFs

Commit 17fce9d2336d (\iommu/vt-d: Put iopf enablement in domain attach path) disables IOPF on device by removing the device from its IOMMU’s IOPF queue when the last IOPF-capable domain is detached from the device. Unfortunately it did this in a wrong place where there are still pending IOPFs. As a result a use-after-free error is potentially triggered and eventually a kernel panic with a kernel trace similar to the following:

refcount_t: underflow; use-after-free. WARNING: CPU: 3 PID: 313 at lib/refcount.c:28 refcount_warn_saturate+0xd8/0xe0 Workqueue: iopf_queue/dmar0-iopfq iommu_sva_handle_iopf Call Trace: iopf_free_group+0xe/0x20 process_one_work+0x197/0x3d0 worker_thread+0x23a/0x350 ? rescuer_thread+0x4a0/0x4a0 kthread+0xf8/0x230 ? finish_task_switch.isra.0+0x81/0x260 ? kthreads_online_cpu+0x110/0x110 ? kthreads_online_cpu+0x110/0x110 ret_from_fork+0x13b/0x170 ? kthreads_online_cpu+0x110/0x110 ret_from_fork_asm+0x11/0x20 —[ end trace 0000000000000000 ]—

The intel_pasid_tear_down_entry() function is responsible for blocking hardware from generating new page faults and flushing all in-flight ones. Therefore moving iopf_for_domain_remove() after this function should resolve this.

Reference

https://git.kernel.org/stable/c/c68332b7ee893292bba6e87d31ef2080c066c65d https://git.kernel.org/stable/c/f0b9d31c6edd50a6207489cd1bd4ddac814b9cd2

CNNVD-202508-2158 (Published: 2025-08-19)

Share on: