CVE-2026-45894

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iommu/vt-d: Clear Present bit before tearing down PASID entry<br /> <br /> The Intel VT-d Scalable Mode PASID table entry consists of 512 bits (64<br /> bytes). When tearing down an entry, the current implementation zeros the<br /> entire 64-byte structure immediately using multiple 64-bit writes.<br /> <br /> Since the IOMMU hardware may fetch these 64 bytes using multiple<br /> internal transactions (e.g., four 128-bit bursts), updating or zeroing<br /> the entire entry while it is active (P=1) risks a "torn" read. If a<br /> hardware fetch occurs simultaneously with the CPU zeroing the entry, the<br /> hardware could observe an inconsistent state, leading to unpredictable<br /> behavior or spurious faults.<br /> <br /> Follow the "Guidance to Software for Invalidations" in the VT-d spec<br /> (Section 6.5.3.3) by implementing the recommended ownership handshake:<br /> <br /> 1. Clear only the &amp;#39;Present&amp;#39; (P) bit of the PASID entry.<br /> 2. Use a dma_wmb() to ensure the cleared bit is visible to hardware<br /> before proceeding.<br /> 3. Execute the required invalidation sequence (PASID cache, IOTLB, and<br /> Device-TLB flush) to ensure the hardware has released all cached<br /> references.<br /> 4. Only after the flushes are complete, zero out the remaining fields<br /> of the PASID entry.<br /> <br /> Also, add a dma_wmb() in pasid_set_present() to ensure that all other<br /> fields of the PASID entry are visible to the hardware before the Present<br /> bit is set.