CVE-2025-38594

In the Linux kernel, the following vulnerability has been resolved:

iommu/vt-d: Fix UAF on sva unbind with pending IOPFs

Commit 17fce9d2336d ("iommu/vt-d: Put iopf enablement in domain attach path") disables IOPF on device by removing the device from its IOMMU's IOPF queue when the last IOPF-capable domain is detached from the device. Unfortunately, it did this in a wrong place where there are still pending IOPFs. As a result, a use-after-free error is potentially triggered and eventually a kernel panic with a kernel trace similar to the following:

refcountt: underflow; use-after-free. WARNING: CPU: 3 PID: 313 at lib/refcount.c:28 refcountwarnsaturate+0xd8/0xe0 Workqueue: iopfqueue/dmar0-iopfq iommusvahandleiopf Call Trace: <TASK> iopffreegroup+0xe/0x20 processonework+0x197/0x3d0 workerthread+0x23a/0x350 ? rescuerthread+0x4a0/0x4a0 kthread+0xf8/0x230 ? finishtaskswitch.isra.0+0x81/0x260 ? kthreadsonlinecpu+0x110/0x110 ? kthreadsonlinecpu+0x110/0x110 retfromfork+0x13b/0x170 ? kthreadsonlinecpu+0x110/0x110 retfromforkasm+0x11/0x20 </TASK> ---[ end trace 0000000000000000 ]---

The intelpasidteardownentry() function is responsible for blocking hardware from generating new page faults and flushing all in-flight ones. Therefore, moving iopffordomain_remove() after this function should resolve this.