CVE-2025-39966

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iommufd: Fix race during abort for file descriptors<br /> <br /> fput() doesn&amp;#39;t actually call file_operations release() synchronously, it<br /> puts the file on a work queue and it will be released eventually.<br /> <br /> This is normally fine, except for iommufd the file and the iommufd_object<br /> are tied to gether. The file has the object as it&amp;#39;s private_data and holds<br /> a users refcount, while the object is expected to remain alive as long as<br /> the file is.<br /> <br /> When the allocation of a new object aborts before installing the file it<br /> will fput() the file and then go on to immediately kfree() the obj. This<br /> causes a UAF once the workqueue completes the fput() and tries to<br /> decrement the users refcount.<br /> <br /> Fix this by putting the core code in charge of the file lifetime, and call<br /> __fput_sync() during abort to ensure that release() is called before<br /> kfree. __fput_sync() is a bit too tricky to open code in all the object<br /> implementations. Instead the objects tell the core code where the file<br /> pointer is and the core will take care of the life cycle.<br /> <br /> If the object is successfully allocated then the file will hold a users<br /> refcount and the iommufd_object cannot be destroyed.<br /> <br /> It is worth noting that close(); ioctl(IOMMU_DESTROY); doesn&amp;#39;t have an<br /> issue because close() is already using a synchronous version of fput().<br /> <br /> The UAF looks like this:<br /> <br /> BUG: KASAN: slab-use-after-free in iommufd_eventq_fops_release+0x45/0xc0 drivers/iommu/iommufd/eventq.c:376<br /> Write of size 4 at addr ffff888059c97804 by task syz.0.46/6164<br /> <br /> CPU: 0 UID: 0 PID: 6164 Comm: syz.0.46 Not tainted syzkaller #0 PREEMPT(full)<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:94 [inline]<br /> dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120<br /> print_address_description mm/kasan/report.c:378 [inline]<br /> print_report+0xcd/0x630 mm/kasan/report.c:482<br /> kasan_report+0xe0/0x110 mm/kasan/report.c:595<br /> check_region_inline mm/kasan/generic.c:183 [inline]<br /> kasan_check_range+0x100/0x1b0 mm/kasan/generic.c:189<br /> instrument_atomic_read_write include/linux/instrumented.h:96 [inline]<br /> atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:400 [inline]<br /> __refcount_dec include/linux/refcount.h:455 [inline]<br /> refcount_dec include/linux/refcount.h:476 [inline]<br /> iommufd_eventq_fops_release+0x45/0xc0 drivers/iommu/iommufd/eventq.c:376<br /> __fput+0x402/0xb70 fs/file_table.c:468<br /> task_work_run+0x14d/0x240 kernel/task_work.c:227<br /> resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]<br /> exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:43<br /> exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]<br /> syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]<br /> syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]<br /> do_syscall_64+0x41c/0x4c0 arch/x86/entry/syscall_64.c:100<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f