lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2025100916-CVE-2025-39961-09b1@gregkh>
Date: Thu,  9 Oct 2025 14:13:16 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-39961: iommu/amd/pgtbl: Fix possible race while increase page table level

From: Greg Kroah-Hartman <gregkh@...nel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

iommu/amd/pgtbl: Fix possible race while increase page table level

The AMD IOMMU host page table implementation supports dynamic page table levels
(up to 6 levels), starting with a 3-level configuration that expands based on
IOVA address. The kernel maintains a root pointer and current page table level
to enable proper page table walks in alloc_pte()/fetch_pte() operations.

The IOMMU IOVA allocator initially starts with 32-bit address and onces its
exhuasted it switches to 64-bit address (max address is determined based
on IOMMU and device DMA capability). To support larger IOVA, AMD IOMMU
driver increases page table level.

But in unmap path (iommu_v1_unmap_pages()), fetch_pte() reads
pgtable->[root/mode] without lock. So its possible that in exteme corner case,
when increase_address_space() is updating pgtable->[root/mode], fetch_pte()
reads wrong page table level (pgtable->mode). It does compare the value with
level encoded in page table and returns NULL. This will result is
iommu_unmap ops to fail and upper layer may retry/log WARN_ON.

CPU 0                                         CPU 1
------                                       ------
map pages                                    unmap pages
alloc_pte() -> increase_address_space()      iommu_v1_unmap_pages() -> fetch_pte()
  pgtable->root = pte (new root value)
                                             READ pgtable->[mode/root]
					       Reads new root, old mode
  Updates mode (pgtable->mode += 1)

Since Page table level updates are infrequent and already synchronized with a
spinlock, implement seqcount to enable lock-free read operations on the read path.

The Linux kernel CVE team has assigned CVE-2025-39961 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 5.3 with commit 754265bcab78a9014f0f99cd35e0d610fcd7dfa7 and fixed in 6.6.108 with commit 075abf0b1a958acfbea2435003d228e738e90346
	Issue introduced in 5.3 with commit 754265bcab78a9014f0f99cd35e0d610fcd7dfa7 and fixed in 6.12.49 with commit cd92c8ab336c3a633d46e6f35ebcd3509ae7db3b
	Issue introduced in 5.3 with commit 754265bcab78a9014f0f99cd35e0d610fcd7dfa7 and fixed in 6.16.9 with commit 7d462bdecb7d9c32934dab44aaeb7ea7d73a27a2
	Issue introduced in 5.3 with commit 754265bcab78a9014f0f99cd35e0d610fcd7dfa7 and fixed in 6.17 with commit 1e56310b40fd2e7e0b9493da9ff488af145bdd0c
	Issue introduced in 4.9.194 with commit 6fb92f18555a7b8e085267d513612dc0ff9a5360
	Issue introduced in 4.14.146 with commit b15bf74405faa1a65025eb8a6eb337e140e5250a
	Issue introduced in 4.19.75 with commit 0d50f7b1e8c80a8c20db5049e269468c059b0378
	Issue introduced in 5.2.17 with commit 785ca708a908b9c596ede852470ba28b8dc3e40b

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-39961
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	drivers/iommu/amd/amd_iommu_types.h
	drivers/iommu/amd/io_pgtable.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/075abf0b1a958acfbea2435003d228e738e90346
	https://git.kernel.org/stable/c/cd92c8ab336c3a633d46e6f35ebcd3509ae7db3b
	https://git.kernel.org/stable/c/7d462bdecb7d9c32934dab44aaeb7ea7d73a27a2
	https://git.kernel.org/stable/c/1e56310b40fd2e7e0b9493da9ff488af145bdd0c

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ