In the Linux kernel, the following vulnerability has been resolved:
iommu/vt-d: Remove cache tags before disabling ATS
The current implementation removes cache tags after disabling ATS, leading to potential memory leaks and kernel crashes. Specifically, CACHETAGDEVTLB type cache tags may still remain in the list even after the domain is freed, causing a use-after-free condition.
This issue really shows up when multiple VFs from different PFs passed through to a single user-space process via vfio-pci. In such cases, the kernel may crash with kernel messages like:
BUG: kernel NULL pointer dereference, address: 0000000000000014 PGD 19036a067 P4D 1940a3067 PUD 136c9b067 PMD 0 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 74 UID: 0 PID: 3183 Comm: testCli Not tainted 6.11.9 #2 RIP: 0010:cachetagflushrange+0x9b/0x250 Call Trace: <TASK> ? _die+0x1f/0x60 ? pagefaultoops+0x163/0x590 ? excpagefault+0x72/0x190 ? asmexcpagefault+0x22/0x30 ? cachetagflushrange+0x9b/0x250 ? cachetagflushrange+0x5d/0x250 inteliommutlbsync+0x29/0x40 inteliommuunmappages+0xfe/0x160 _iommuunmap+0xd8/0x1a0 vfiounmapunpin+0x182/0x340 [vfioiommutype1] vfioremovedma+0x2a/0xb0 [vfioiommutype1] vfioiommutype1ioctl+0xafa/0x18e0 [vfioiommutype1]
Move cachetagunassigndomain() before iommudisablepcicaps() to fix it.