CVE-2025-38594 (GCVE-0-2025-38594)
Vulnerability from cvelistv5
Published
2025-08-19 17:03
Modified
2025-08-19 17:03
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Fix UAF on sva unbind with pending IOPFs Commit 17fce9d2336d ("iommu/vt-d: Put iopf enablement in domain attach path") disables IOPF on device by removing the device from its IOMMU's IOPF queue when the last IOPF-capable domain is detached from the device. Unfortunately, it did this in a wrong place where there are still pending IOPFs. As a result, a use-after-free error is potentially triggered and eventually a kernel panic with a kernel trace similar to the following: refcount_t: underflow; use-after-free. WARNING: CPU: 3 PID: 313 at lib/refcount.c:28 refcount_warn_saturate+0xd8/0xe0 Workqueue: iopf_queue/dmar0-iopfq iommu_sva_handle_iopf Call Trace: <TASK> iopf_free_group+0xe/0x20 process_one_work+0x197/0x3d0 worker_thread+0x23a/0x350 ? rescuer_thread+0x4a0/0x4a0 kthread+0xf8/0x230 ? finish_task_switch.isra.0+0x81/0x260 ? kthreads_online_cpu+0x110/0x110 ? kthreads_online_cpu+0x110/0x110 ret_from_fork+0x13b/0x170 ? kthreads_online_cpu+0x110/0x110 ret_from_fork_asm+0x11/0x20 </TASK> ---[ end trace 0000000000000000 ]--- The intel_pasid_tear_down_entry() function is responsible for blocking hardware from generating new page faults and flushing all in-flight ones. Therefore, moving iopf_for_domain_remove() after this function should resolve this.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/c68332b7ee893292bba6e87d31ef2080c066c65d
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/f0b9d31c6edd50a6207489cd1bd4ddac814b9cd2
Impacted products
Vendor Product Version
Linux Linux Version: 17fce9d2336d952b95474248303e5e7d9777f2e0
Version: 17fce9d2336d952b95474248303e5e7d9777f2e0
 Create a notification for this product.
   Linux Linux Version: 6.16
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/iommu/intel/iommu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c68332b7ee893292bba6e87d31ef2080c066c65d",
              "status": "affected",
              "version": "17fce9d2336d952b95474248303e5e7d9777f2e0",
              "versionType": "git"
            },
            {
              "lessThan": "f0b9d31c6edd50a6207489cd1bd4ddac814b9cd2",
              "status": "affected",
              "version": "17fce9d2336d952b95474248303e5e7d9777f2e0",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/iommu/intel/iommu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.16"
            },
            {
              "lessThan": "6.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.1",
                  "versionStartIncluding": "6.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17-rc1",
                  "versionStartIncluding": "6.16",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Fix UAF on sva unbind with pending IOPFs\n\nCommit 17fce9d2336d (\"iommu/vt-d: Put iopf enablement in domain attach\npath\") disables IOPF on device by removing the device from its IOMMU\u0027s\nIOPF queue when the last IOPF-capable domain is detached from the device.\nUnfortunately, it did this in a wrong place where there are still pending\nIOPFs. As a result, a use-after-free error is potentially triggered and\neventually a kernel panic with a kernel trace similar to the following:\n\n refcount_t: underflow; use-after-free.\n WARNING: CPU: 3 PID: 313 at lib/refcount.c:28 refcount_warn_saturate+0xd8/0xe0\n Workqueue: iopf_queue/dmar0-iopfq iommu_sva_handle_iopf\n Call Trace:\n   \u003cTASK\u003e\n   iopf_free_group+0xe/0x20\n   process_one_work+0x197/0x3d0\n   worker_thread+0x23a/0x350\n   ? rescuer_thread+0x4a0/0x4a0\n   kthread+0xf8/0x230\n   ? finish_task_switch.isra.0+0x81/0x260\n   ? kthreads_online_cpu+0x110/0x110\n   ? kthreads_online_cpu+0x110/0x110\n   ret_from_fork+0x13b/0x170\n   ? kthreads_online_cpu+0x110/0x110\n   ret_from_fork_asm+0x11/0x20\n   \u003c/TASK\u003e\n  ---[ end trace 0000000000000000 ]---\n\nThe intel_pasid_tear_down_entry() function is responsible for blocking\nhardware from generating new page faults and flushing all in-flight\nones. Therefore, moving iopf_for_domain_remove() after this function\nshould resolve this."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-19T17:03:19.689Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c68332b7ee893292bba6e87d31ef2080c066c65d"
        },
        {
          "url": "https://git.kernel.org/stable/c/f0b9d31c6edd50a6207489cd1bd4ddac814b9cd2"
        }
      ],
      "title": "iommu/vt-d: Fix UAF on sva unbind with pending IOPFs",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38594",
    "datePublished": "2025-08-19T17:03:19.689Z",
    "dateReserved": "2025-04-16T04:51:24.028Z",
    "dateUpdated": "2025-08-19T17:03:19.689Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-38594\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-08-19T17:15:37.213\",\"lastModified\":\"2025-08-20T14:40:17.713\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\niommu/vt-d: Fix UAF on sva unbind with pending IOPFs\\n\\nCommit 17fce9d2336d (\\\"iommu/vt-d: Put iopf enablement in domain attach\\npath\\\") disables IOPF on device by removing the device from its IOMMU\u0027s\\nIOPF queue when the last IOPF-capable domain is detached from the device.\\nUnfortunately, it did this in a wrong place where there are still pending\\nIOPFs. As a result, a use-after-free error is potentially triggered and\\neventually a kernel panic with a kernel trace similar to the following:\\n\\n refcount_t: underflow; use-after-free.\\n WARNING: CPU: 3 PID: 313 at lib/refcount.c:28 refcount_warn_saturate+0xd8/0xe0\\n Workqueue: iopf_queue/dmar0-iopfq iommu_sva_handle_iopf\\n Call Trace:\\n   \u003cTASK\u003e\\n   iopf_free_group+0xe/0x20\\n   process_one_work+0x197/0x3d0\\n   worker_thread+0x23a/0x350\\n   ? rescuer_thread+0x4a0/0x4a0\\n   kthread+0xf8/0x230\\n   ? finish_task_switch.isra.0+0x81/0x260\\n   ? kthreads_online_cpu+0x110/0x110\\n   ? kthreads_online_cpu+0x110/0x110\\n   ret_from_fork+0x13b/0x170\\n   ? kthreads_online_cpu+0x110/0x110\\n   ret_from_fork_asm+0x11/0x20\\n   \u003c/TASK\u003e\\n  ---[ end trace 0000000000000000 ]---\\n\\nThe intel_pasid_tear_down_entry() function is responsible for blocking\\nhardware from generating new page faults and flushing all in-flight\\nones. Therefore, moving iopf_for_domain_remove() after this function\\nshould resolve this.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: iommu/vt-d: Correcci\u00f3n de UAF en la desvinculaci\u00f3n de sva con IOPF pendientes. El commit 17fce9d2336d (\\\"iommu/vt-d: Colocar la habilitaci\u00f3n de iopf en la ruta de conexi\u00f3n del dominio\\\") deshabilita IOPF en el dispositivo elimin\u00e1ndolo de la cola de IOPF de su IOMMU cuando el \u00faltimo dominio con capacidad para IOPF se desvincula del dispositivo. Desafortunadamente, esto se realiz\u00f3 en un lugar incorrecto donde a\u00fan hay IOPF pendientes. Como resultado, se puede generar un error de use-after-free y, finalmente, un p\u00e1nico del kernel con un seguimiento del kernel similar al siguiente: refcount_t: underflow; use-after-free. ADVERTENCIA: CPU: 3 PID: 313 en lib/refcount.c:28 refcount_warn_saturate+0xd8/0xe0 Cola de trabajo: iopf_queue/dmar0-iopfq iommu_sva_handle_iopf Rastreo de llamadas:  iopf_free_group+0xe/0x20 process_one_work+0x197/0x3d0 worker_thread+0x23a/0x350 ? rescuer_thread+0x4a0/0x4a0 kthread+0xf8/0x230 ? finish_task_switch.isra.0+0x81/0x260 ? kthreads_online_cpu+0x110/0x110 ? kthreads_online_cpu+0x110/0x110 ret_from_fork+0x13b/0x170 ? kthreads_online_cpu+0x110/0x110 ret_from_fork_asm+0x11/0x20  ---[ end trace 0000000000000000 ]--- La funci\u00f3n intel_pasid_tear_down_entry() se encarga de impedir que el hardware genere nuevos fallos de p\u00e1gina y de eliminar todos los que se est\u00e1n ejecutando. Por lo tanto, mover iopf_for_domain_remove() despu\u00e9s de esta funci\u00f3n deber\u00eda resolver este problema.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/c68332b7ee893292bba6e87d31ef2080c066c65d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f0b9d31c6edd50a6207489cd1bd4ddac814b9cd2\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.