{"id":"CVE-2024-26785","summary":"iommufd: Fix protection fault in iommufd_test_syz_conv_iova","details":"In the Linux kernel, the following vulnerability has been resolved:\n\niommufd: Fix protection fault in iommufd_test_syz_conv_iova\n\nSyzkaller reported the following bug:\n\n  general protection fault, probably for non-canonical address 0xdffffc0000000038: 0000 [#1] SMP KASAN\n  KASAN: null-ptr-deref in range [0x00000000000001c0-0x00000000000001c7]\n  Call Trace:\n   lock_acquire\n   lock_acquire+0x1ce/0x4f0\n   down_read+0x93/0x4a0\n   iommufd_test_syz_conv_iova+0x56/0x1f0\n   iommufd_test_access_rw.isra.0+0x2ec/0x390\n   iommufd_test+0x1058/0x1e30\n   iommufd_fops_ioctl+0x381/0x510\n   vfs_ioctl\n   __do_sys_ioctl\n   __se_sys_ioctl\n   __x64_sys_ioctl+0x170/0x1e0\n   do_syscall_x64\n   do_syscall_64+0x71/0x140\n\nThis is because the new iommufd_access_change_ioas() sets access-\u003eioas to\nNULL during its process, so the lock might be gone in a concurrent racing\ncontext.\n\nFix this by doing the same access-\u003eioas sanity as iommufd_access_rw() and\niommufd_access_pin_pages() functions do.","modified":"2026-04-02T10:05:56.819749Z","published":"2024-04-04T08:20:18.467Z","related":["SUSE-SU-2024:2802-1","SUSE-SU-2024:2896-1","SUSE-SU-2024:2973-1","SUSE-SU-2025:20008-1","SUSE-SU-2025:20028-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/26xxx/CVE-2024-26785.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/cf7c2789822db8b5efa34f5ebcf1621bc0008d48"},{"type":"WEB","url":"https://git.kernel.org/stable/c/fc719ecbca45c9c046640d72baddba3d83e0bc0b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/fd4d5cd7a2e8f08357c9bfc0905957cffe8ce568"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/26xxx/CVE-2024-26785.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26785"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"9227da7816dd1a42e20d41e2244cb63c205477ca"},{"fixed":"fd4d5cd7a2e8f08357c9bfc0905957cffe8ce568"},{"fixed":"fc719ecbca45c9c046640d72baddba3d83e0bc0b"},{"fixed":"cf7c2789822db8b5efa34f5ebcf1621bc0008d48"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-26785.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}