In the Linux kernel, the following vulnerability has been resolved:
iommu/vt-d: Skip dev-iotlb flush for inaccessible PCIe device without scalable mode
PCIe endpoints with ATS enabled and passed through to userspace (e.g., QEMU, DPDK) can hard-lock the host when their link drops, either by surprise removal or by a link fault.
Commit 4fc82cd907ac ("iommu/vt-d: Don't issue ATS Invalidation request when device is disconnected") adds pcidevisdisconnected() to devtlbinvalidationwithpasid() so ATS invalidation is skipped only when the device is being safely removed, but it applies only when Intel IOMMU scalable mode is enabled.
With scalable mode disabled or unsupported, a system hard-lock occurs when a PCIe endpoint's link drops because the Intel IOMMU waits indefinitely for an ATS invalidation that cannot complete.
Call Trace: qisubmitsync qiflushdev_iotlb __contextflushdeviotlb.part.0 domaincontextclearonecb pciforeachdmaalias deviceblocktranslation blockingdomainattachdev iommudeinitdevice __iommugroupremovedevice iommureleasedevice iommubusnotifier blockingnotifiercallchain busnotify devicedel pciremovebusdevice pcistopandremovebusdevice pciehpunconfiguredevice pciehpdisableslot pciehphandlepresenceorlinkchange pciehpist
Commit 81e921fd3216 ("iommu/vt-d: Fix NULL domain on device release") adds intelpasidteardownsmcontext() to inteliommureleasedevice(), which calls qiflushdeviotlb() and can also hard-lock the system when a PCIe endpoint's link drops.
Call Trace: qisubmitsync qiflushdev_iotlb __contextflushdeviotlb.part.0 intelcontextflushnopasid devicepasidtableteardown pcipasidtableteardown pciforeachdmaalias intelpasidteardownsmcontext inteliommureleasedevice iommudeinitdevice __iommugroupremovedevice iommureleasedevice iommubusnotifier blockingnotifiercallchain busnotify devicedel pciremovebusdevice pcistopandremovebusdevice pciehpunconfiguredevice pciehpdisableslot pciehphandlepresenceorlinkchange pciehpist
Sometimes the endpoint loses connection without a link-down event (e.g., due to a link fault); killing the process (virsh destroy) then hard-locks the host.
Call Trace: qisubmitsync qiflushdev_iotlb __contextflushdeviotlb.part.0 domaincontextclearonecb pciforeachdmaalias deviceblocktranslation blockingdomainattachdev __iommuattachdevice __iommudeviceset_domain __iommugroupsetdomaininternal iommudetachgroup vfioiommutype1detachgroup vfiogroupdetachcontainer vfiogroupfopsrelease __fput
pcidevisdisconnected() only covers safe-removal paths; pcideviceispresent() tests accessibility by reading vendor/device IDs and internally calls pcidevis_disconnected(). On a ConnectX-5 (8 GT/s, x2) this costs ~70 µs.
Since _contextflushdeviotlb() is only called on {attach,release}dev paths (not hot), add pcideviceispresent() there to skip inaccessible devices and avoid the hard-lock.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43161.json",
"cna_assigner": "Linux"
}