CVE-2026-43161

Published: Mag 06, 2026 Last Modified: Mag 06, 2026

ExploitDB:

Other exploit source:

Google Dorks:

Description

AI Translation Available

In the Linux kernel, the following vulnerability has been resolved:

iommu/vt-d: Skip dev-iotlb flush for inaccessible PCIe device without scalable mode

PCIe endpoints with ATS enabled and passed through to userspace
(e.g., QEMU, DPDK) can hard-lock the host when their link drops,
either by surprise removal or by a link fault.

Commit 4fc82cd907ac ('iommu/vt-d: Don't issue ATS Invalidation
request when device is disconnected') adds pci_dev_is_disconnected()
to devtlb_invalidation_with_pasid() so ATS invalidation is skipped
only when the device is being safely removed, but it applies only
when Intel IOMMU scalable mode is enabled.

With scalable mode disabled or unsupported, a system hard-lock
occurs when a PCIe endpoint's link drops because the Intel IOMMU
waits indefinitely for an ATS invalidation that cannot complete.

Call Trace:
qi_submit_sync
qi_flush_dev_iotlb
__context_flush_dev_iotlb.part.0
domain_context_clear_one_cb
pci_for_each_dma_alias
device_block_translation
blocking_domain_attach_dev
iommu_deinit_device
__iommu_group_remove_device
iommu_release_device
iommu_bus_notifier
blocking_notifier_call_chain
bus_notify
device_del
pci_remove_bus_device
pci_stop_and_remove_bus_device
pciehp_unconfigure_device
pciehp_disable_slot
pciehp_handle_presence_or_link_change
pciehp_ist

Commit 81e921fd3216 ('iommu/vt-d: Fix NULL domain on device release')
adds intel_pasid_teardown_sm_context() to intel_iommu_release_device(),
which calls qi_flush_dev_iotlb() and can also hard-lock the system
when a PCIe endpoint's link drops.

Call Trace:
qi_submit_sync
qi_flush_dev_iotlb
__context_flush_dev_iotlb.part.0
intel_context_flush_no_pasid
device_pasid_table_teardown
pci_pasid_table_teardown
pci_for_each_dma_alias
intel_pasid_teardown_sm_context
intel_iommu_release_device
iommu_deinit_device
__iommu_group_remove_device
iommu_release_device
iommu_bus_notifier
blocking_notifier_call_chain
bus_notify
device_del
pci_remove_bus_device
pci_stop_and_remove_bus_device
pciehp_unconfigure_device
pciehp_disable_slot
pciehp_handle_presence_or_link_change
pciehp_ist

Sometimes the endpoint loses connection without a link-down event
(e.g., due to a link fault); killing the process (virsh destroy)
then hard-locks the host.

Call Trace:
qi_submit_sync
qi_flush_dev_iotlb
__context_flush_dev_iotlb.part.0
domain_context_clear_one_cb
pci_for_each_dma_alias
device_block_translation
blocking_domain_attach_dev
__iommu_attach_device
__iommu_device_set_domain
__iommu_group_set_domain_internal
iommu_detach_group
vfio_iommu_type1_detach_group
vfio_group_detach_container
vfio_group_fops_release
__fput

pci_dev_is_disconnected() only covers safe-removal paths;
pci_device_is_present() tests accessibility by reading
vendor/device IDs and internally calls pci_dev_is_disconnected().
On a ConnectX-5 (8 GT/s, x2) this costs ~70 µs.

Since __context_flush_dev_iotlb() is only called on
{attach,release}_dev paths (not hot), add pci_device_is_present()
there to skip inaccessible devices and avoid the hard-lock.

AI Generated Translation

Nel kernel Linux, è stata risolta la seguente vulnerabilità:

iommu/vt-d: Ignora dev-iotlb flush per dispositivi PCIe inaccessibili senza modalità scalabile

Gli endpoint PCIe con ATS abilitato e passati allo spazio utente
(es. QEMU, DPDK) possono bloccare il sistema host quando il loro link si interrompe,
sia per rimozione improvvisa che per un guasto del link.

Il commit 4fc82cd907ac ("iommu/vt-d: Don't issue ATS Invalidation
request when device is disconnected") aggiunge pci_dev_is_disconnected()
a devtlb_invalidation_with_pasid(), in modo che l'invalidazione ATS venga
skippata solo quando il dispositivo viene rimosso in modo sicuro, ma questa
modifica si applica solo quando la modalità scalabile di Intel IOMMU è abilitata.

Con modalità scalabile disabilitata o non supportata, si verifica un blocco
del sistema quando il link di un endpoint PCIe si interrompe, poiché l'Intel IOMMU
attende indefinitamente un'invalidazione ATS che non può completarsi.

Trace di chiamata:
qi_submit_sync
qi_flush_dev_iotlb
__context_flush_dev_iotlb.part.0
domain_context_clear_one_cb
pci_for_each_dma_alias
device_block_translation
blocking_domain_attach_dev
iommu_deinit_device
__iommu_group_remove_device
iommu_release_device
iommu_bus_notifier
blocking_notifier_call_chain
bus_notify
device_del
pci_remove_bus_device
pci_stop_and_remove_bus_device
pciehp_unconfigure_device
pciehp_disable_slot
pciehp_handle_presence_or_link_change
pciehp_ist

Il commit 81e921fd3216 ("iommu/vt-d: Fix NULL domain on device release")
introduce intel_pasid_teardown_sm_context() in intel_iommu_release_device(),
che chiama qi_flush_dev_iotlb() e può anche causare il blocco del sistema
quando il link di un endpoint PCIe si interrompe.

Trace di chiamata:
qi_submit_sync
qi_flush_dev_iotlb
__context_flush_dev_iotlb.part.0
intel_context_flush_no_pasid
device_pasid_table_teardown
pci_pasid_table_teardown
pci_for_each_dma_alias
intel_pasid_teardown_sm_context
intel_iommu_release_device
iommu_deinit_device
__iommu_group_remove_device
iommu_release_device
iommu_bus_notifier
blocking_notifier_call_chain
bus_notify
device_del
pci_remove_bus_device
pci_stop_and_remove_bus_device
pciehp_unconfigure_device
pciehp_disable_slot
pciehp_handle_presence_or_link_change
pciehp_ist

Talvolta l'endpoint perde la connessione senza un evento di link-down
(es. a causa di un guasto del link); terminare il processo (virsh destroy)
blocca in modo permanente l'host.

Trace di chiamata:
qi_submit_sync
qi_flush_dev_iotlb
__context_flush_dev_iotlb.part.0
domain_context_clear_one_cb
pci_for_each_dma_alias
device_block_translation
blocking_domain_attach_dev
__iommu_attach_device
__iommu_device_set_domain
__iommu_group_set_domain_internal
iommu_detach_group
vfio_iommu_type1_detach_group
vfio_group_detach_container
vfio_group_fops_release
__fput

La funzione pci_dev_is_disconnected() copre solo i percorsi di rimozione sicura;
pci_device_is_present() verifica l'accessibilità leggendo gli ID vendor/device
e chiama internamente pci_dev_is_disconnected().
Su un ConnectX-5 (8 GT/s, x2), questa operazione richiede circa 70 µs.

Poiché __context_flush_dev_iotlb() viene chiamata solo sui percorsi
{attach,release}_dev (non hot), si aggiunge pci_device_is_present()
per saltare i dispositivi inaccessibili e prevenire il blocco del sistema.

https://git.kernel.org/stable/c/42662d19839f34735b718129ea2…

https://git.kernel.org/stable/c/42662d19839f34735b718129ea200e3734b07e50

https://git.kernel.org/stable/c/48b3f08e68b29a79527869cdde7…

https://git.kernel.org/stable/c/48b3f08e68b29a79527869cdde7298ca2a9b9646

https://git.kernel.org/stable/c/bc0490ad9edf5c6f98e39fbbee2…

https://git.kernel.org/stable/c/bc0490ad9edf5c6f98e39fbbee2877b85261a5ae

https://git.kernel.org/stable/c/e70d5feb10c5ba2bbf7ca400b8f…

https://git.kernel.org/stable/c/e70d5feb10c5ba2bbf7ca400b8f39a2f82d653e8

CVE-2026-43161

Description

Iscriviti alla newsletter