CVE-2026-43161

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iommu/vt-d: Skip dev-iotlb flush for inaccessible PCIe device without scalable mode<br /> <br /> PCIe endpoints with ATS enabled and passed through to userspace<br /> (e.g., QEMU, DPDK) can hard-lock the host when their link drops,<br /> either by surprise removal or by a link fault.<br /> <br /> Commit 4fc82cd907ac ("iommu/vt-d: Don&amp;#39;t issue ATS Invalidation<br /> request when device is disconnected") adds pci_dev_is_disconnected()<br /> to devtlb_invalidation_with_pasid() so ATS invalidation is skipped<br /> only when the device is being safely removed, but it applies only<br /> when Intel IOMMU scalable mode is enabled.<br /> <br /> With scalable mode disabled or unsupported, a system hard-lock<br /> occurs when a PCIe endpoint&amp;#39;s link drops because the Intel IOMMU<br /> waits indefinitely for an ATS invalidation that cannot complete.<br /> <br /> Call Trace:<br /> qi_submit_sync<br /> qi_flush_dev_iotlb<br /> __context_flush_dev_iotlb.part.0<br /> domain_context_clear_one_cb<br /> pci_for_each_dma_alias<br /> device_block_translation<br /> blocking_domain_attach_dev<br /> iommu_deinit_device<br /> __iommu_group_remove_device<br /> iommu_release_device<br /> iommu_bus_notifier<br /> blocking_notifier_call_chain<br /> bus_notify<br /> device_del<br /> pci_remove_bus_device<br /> pci_stop_and_remove_bus_device<br /> pciehp_unconfigure_device<br /> pciehp_disable_slot<br /> pciehp_handle_presence_or_link_change<br /> pciehp_ist<br /> <br /> Commit 81e921fd3216 ("iommu/vt-d: Fix NULL domain on device release")<br /> adds intel_pasid_teardown_sm_context() to intel_iommu_release_device(),<br /> which calls qi_flush_dev_iotlb() and can also hard-lock the system<br /> when a PCIe endpoint&amp;#39;s link drops.<br /> <br /> Call Trace:<br /> qi_submit_sync<br /> qi_flush_dev_iotlb<br /> __context_flush_dev_iotlb.part.0<br /> intel_context_flush_no_pasid<br /> device_pasid_table_teardown<br /> pci_pasid_table_teardown<br /> pci_for_each_dma_alias<br /> intel_pasid_teardown_sm_context<br /> intel_iommu_release_device<br /> iommu_deinit_device<br /> __iommu_group_remove_device<br /> iommu_release_device<br /> iommu_bus_notifier<br /> blocking_notifier_call_chain<br /> bus_notify<br /> device_del<br /> pci_remove_bus_device<br /> pci_stop_and_remove_bus_device<br /> pciehp_unconfigure_device<br /> pciehp_disable_slot<br /> pciehp_handle_presence_or_link_change<br /> pciehp_ist<br /> <br /> Sometimes the endpoint loses connection without a link-down event<br /> (e.g., due to a link fault); killing the process (virsh destroy)<br /> then hard-locks the host.<br /> <br /> Call Trace:<br /> qi_submit_sync<br /> qi_flush_dev_iotlb<br /> __context_flush_dev_iotlb.part.0<br /> domain_context_clear_one_cb<br /> pci_for_each_dma_alias<br /> device_block_translation<br /> blocking_domain_attach_dev<br /> __iommu_attach_device<br /> __iommu_device_set_domain<br /> __iommu_group_set_domain_internal<br /> iommu_detach_group<br /> vfio_iommu_type1_detach_group<br /> vfio_group_detach_container<br /> vfio_group_fops_release<br /> __fput<br /> <br /> pci_dev_is_disconnected() only covers safe-removal paths;<br /> pci_device_is_present() tests accessibility by reading<br /> vendor/device IDs and internally calls pci_dev_is_disconnected().<br /> On a ConnectX-5 (8 GT/s, x2) this costs ~70 µs.<br /> <br /> Since __context_flush_dev_iotlb() is only called on<br /> {attach,release}_dev paths (not hot), add pci_device_is_present()<br /> there to skip inaccessible devices and avoid the hard-lock.