In the Linux kernel, the following vulnerability has been resolved:
iommufd: Fix ioptaccesslist_id overwrite bug
Syzkaller reported the following WARNON: WARNING: CPU: 1 PID: 4738 at drivers/iommu/iommufd/iopagetable.c:1360
Call Trace: iommufdaccesschangeioas+0x2fe/0x4e0 iommufdaccessdestroyobject+0x50/0xb0 iommufdobjectremove+0x2a3/0x490 iommufdobjectdestroyuser iommufdaccessdestroy+0x71/0xb0 iommufdteststaccessrelease+0x89/0xd0 _fput+0x272/0xb50 _fputsync+0x4b/0x60 _dosysclose _sesysclose _x64sysclose+0x8b/0x110 dosyscallx64
The mismatch between the access pointer in the list and the passed-in pointer is resulting from an overwrite of access->ioptaccesslistid, in ioptaddaccess(). Called from iommufdaccesschangeioas() when xaalloc() succeeds but ioptcalculateiovaalignment() fails.
Add a newid in ioptaddaccess() and only update ioptaccesslistid when returning successfully.