CVE-2026-23361

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> PCI: dwc: ep: Flush MSI-X write before unmapping its ATU entry<br /> <br /> Endpoint drivers use dw_pcie_ep_raise_msix_irq() to raise an MSI-X<br /> interrupt to the host using a writel(), which generates a PCI posted write<br /> transaction. There&amp;#39;s no completion for posted writes, so the writel() may<br /> return before the PCI write completes. dw_pcie_ep_raise_msix_irq() also<br /> unmaps the outbound ATU entry used for the PCI write, so the write races<br /> with the unmap.<br /> <br /> If the PCI write loses the race with the ATU unmap, the write may corrupt<br /> host memory or cause IOMMU errors, e.g., these when running fio with a<br /> larger queue depth against nvmet-pci-epf:<br /> <br /> arm-smmu-v3 fc900000.iommu: 0x0000010000000010<br /> arm-smmu-v3 fc900000.iommu: 0x0000020000000000<br /> arm-smmu-v3 fc900000.iommu: 0x000000090000f040<br /> arm-smmu-v3 fc900000.iommu: 0x0000000000000000<br /> arm-smmu-v3 fc900000.iommu: event: F_TRANSLATION client: 0000:01:00.0 sid: 0x100 ssid: 0x0 iova: 0x90000f040 ipa: 0x0<br /> arm-smmu-v3 fc900000.iommu: unpriv data write s1 "Input address caused fault" stag: 0x0<br /> <br /> Flush the write by performing a readl() of the same address to ensure that<br /> the write has reached the destination before the ATU entry is unmapped.<br /> <br /> The same problem was solved for dw_pcie_ep_raise_msi_irq() in commit<br /> 8719c64e76bf ("PCI: dwc: ep: Cache MSI outbound iATU mapping"), but there<br /> it was solved by dedicating an outbound iATU only for MSI. We can&amp;#39;t do the<br /> same for MSI-X because each vector can have a different msg_addr and the<br /> msg_addr may be changed while the vector is masked.<br /> <br /> [bhelgaas: commit log]