In the Linux kernel, the following vulnerability has been resolved: iommu/amd: Bounds-check devid in __rlookupamdiommu() iommu_deviceregister() walks every device on the PCI bus via busforeachdev() and calls amdiommuprobedevice() for each. The inlined checkdevice() path computes the device's sbdf, calls rlookupamdiommu() to find the owning IOMMU, and only afterwards verifies devid <= pciseg->lastbdf. _rlookupamdiommu() indexes rlookuptable[devid] with no bounds check of its own, so for a PCI device whose BDF is not described by the IVRS, the lookup reads past the end of the allocation before the caller's bounds check can run. This was harmless before commit e874c666b15b ("iommu/amd: Change rlookup, irqlookup, and alias to use kvalloc()"): the table was a zeroed page-order allocation, so the over-read returned NULL and the caller's NULL check skipped the device. After that commit the table is a tight kvcalloc() and the over-read returns adjacent slab contents, which checkdevice() then dereferences as a struct amdiommu *, causing a boot-time GPF. Seen on Google Compute Engine ct6e VMs, where the virtualized IVRS describes only the four TPU endpoints 00:04.0-07.0; the gVNIC at 00:08.0 (devid 0x40) indexes 56 bytes past the 456-byte allocation, into the adjacent kmalloc-512 slab object: pci 0000:00:04.0: Adding to iommu group 0 pci 0000:00:05.0: Adding to iommu group 1 pci 0000:00:06.0: Adding to iommu group 2 pci 0000:00:07.0: Adding to iommu group 3 Oops: general protection fault, probably for non-canonical address 0x3a64695f78746382: 0000 [#1] SMP NOPTI CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.18.22 #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/06/2025 RIP: 0010:amdiommuprobedevice+0x54/0x3a0 Call Trace: __iommuprobedevice+0x107/0x520 probeiommugroup+0x29/0x50 busforeachdev+0x7e/0xe0 iommudeviceregister+0xc9/0x240 iommugotostate+0x9c0/0x1c60 amdiommuinit+0x14/0x40 pciiommuinit+0x16/0x60 dooneinitcall+0x47/0x2f0 Guard the array access in __rlookupamdiommu(). With the fix applied on 6.18.22, the gVNIC at 00:08.0 is skipped cleanly and the VM boots.