CVE-2025-38594

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iommu/vt-d: Fix UAF on sva unbind with pending IOPFs<br /> <br /> Commit 17fce9d2336d ("iommu/vt-d: Put iopf enablement in domain attach<br /> path") disables IOPF on device by removing the device from its IOMMU&amp;#39;s<br /> IOPF queue when the last IOPF-capable domain is detached from the device.<br /> Unfortunately, it did this in a wrong place where there are still pending<br /> IOPFs. As a result, a use-after-free error is potentially triggered and<br /> eventually a kernel panic with a kernel trace similar to the following:<br /> <br /> refcount_t: underflow; use-after-free.<br /> WARNING: CPU: 3 PID: 313 at lib/refcount.c:28 refcount_warn_saturate+0xd8/0xe0<br /> Workqueue: iopf_queue/dmar0-iopfq iommu_sva_handle_iopf<br /> Call Trace:<br /> <br /> iopf_free_group+0xe/0x20<br /> process_one_work+0x197/0x3d0<br /> worker_thread+0x23a/0x350<br /> ? rescuer_thread+0x4a0/0x4a0<br /> kthread+0xf8/0x230<br /> ? finish_task_switch.isra.0+0x81/0x260<br /> ? kthreads_online_cpu+0x110/0x110<br /> ? kthreads_online_cpu+0x110/0x110<br /> ret_from_fork+0x13b/0x170<br /> ? kthreads_online_cpu+0x110/0x110<br /> ret_from_fork_asm+0x11/0x20<br /> <br /> ---[ end trace 0000000000000000 ]---<br /> <br /> The intel_pasid_tear_down_entry() function is responsible for blocking<br /> hardware from generating new page faults and flushing all in-flight<br /> ones. Therefore, moving iopf_for_domain_remove() after this function<br /> should resolve this.