{"id":"CVE-2025-40172","summary":"accel/qaic: Treat remaining == 0 as error in find_and_map_user_pages()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\naccel/qaic: Treat remaining == 0 as error in find_and_map_user_pages()\n\nCurrently, if find_and_map_user_pages() takes a DMA xfer request from the\nuser with a length field set to 0, or in a rare case, the host receives\nQAIC_TRANS_DMA_XFER_CONT from the device where resources-\u003exferred_dma_size\nis equal to the requested transaction size, the function will return 0\nbefore allocating an sgt or setting the fields of the dma_xfer struct.\nIn that case, encode_addr_size_pairs() will try to access the sgt which\nwill lead to a general protection fault.\n\nReturn an EINVAL in case the user provides a zero-sized ALP, or the device\nrequests continuation after all of the bytes have been transferred.","modified":"2026-04-02T12:48:18.576605Z","published":"2025-11-12T10:53:49.245Z","related":["SUSE-SU-2025:4393-1","SUSE-SU-2025:4422-1","SUSE-SU-2025:4505-1","SUSE-SU-2025:4516-1","SUSE-SU-2025:4517-1","SUSE-SU-2025:4521-1","SUSE-SU-2026:20012-1","SUSE-SU-2026:20015-1","SUSE-SU-2026:20021-1","SUSE-SU-2026:20039-1","SUSE-SU-2026:20059-1","SUSE-SU-2026:20473-1","SUSE-SU-2026:20496-1","openSUSE-SU-2025:20172-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40172.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/11f08c30a3e4157305ba692f1d44cca5fc9a8fca"},{"type":"WEB","url":"https://git.kernel.org/stable/c/1ab9733d14cc9987cc5dcd1f0ad1f416e302e2e6"},{"type":"WEB","url":"https://git.kernel.org/stable/c/48b1d42286bfef7628b1d6c8c28d4e456c90f725"},{"type":"WEB","url":"https://git.kernel.org/stable/c/551f1dfbcb7f3e6ed07f9d6c8c1c64337fcd0ede"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40172.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-40172"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"96d3c1cadedb6ae2e8965e19cd12caa244afbd9c"},{"fixed":"48b1d42286bfef7628b1d6c8c28d4e456c90f725"},{"fixed":"551f1dfbcb7f3e6ed07f9d6c8c1c64337fcd0ede"},{"fixed":"1ab9733d14cc9987cc5dcd1f0ad1f416e302e2e6"},{"fixed":"11f08c30a3e4157305ba692f1d44cca5fc9a8fca"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"d410a96e5cb8c1ec7049c83f2edcd8bbfaf5d9b3"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-40172.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.5.0"},{"fixed":"6.6.114"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.55"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.17.5"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-40172.json"}}],"schema_version":"1.7.5"}