CVE-2025-38062

In the Linux kernel, the following vulnerability has been resolved:

genirq/msi: Store the IOMMU IOVA directly in msidesc instead of iommucookie

The IOMMU translation for MSI message addresses has been a 2-step process, separated in time:

1) iommudmaprepare_msi(): A cookie pointer containing the IOVA address is stored in the MSI descriptor when an MSI interrupt is allocated.

2) iommudmacomposemsimsg(): this cookie pointer is used to compute a translated message address.

This has an inherent lifetime problem for the pointer stored in the cookie that must remain valid between the two steps. However, there is no locking at the irq layer that helps protect the lifetime. Today, this works under the assumption that the iommu domain is not changed while MSI interrupts being programmed. This is true for normal DMA API users within the kernel, as the iommu domain is attached before the driver is probed and cannot be changed while a driver is attached.

Classic VFIO type1 also prevented changing the iommu domain while VFIO was running as it does not support changing the "container" after starting up.

However, iommufd has improved this so that the iommu domain can be changed during VFIO operation. This potentially allows userspace to directly race VFIODEVICEATTACHIOMMUFDPT (which calls iommuattachgroup()) and VFIODEVICESETIRQS (which calls into iommudmacomposemsi_msg()).

This potentially causes both the cookie pointer and the unlocked call to iommugetdomainfordev() on the MSI translation path to become UAFs.

Fix the MSI cookie UAF by removing the cookie pointer. The translated IOVA address is already known during iommudmaprepare_msi() and cannot change. Thus, it can simply be stored as an integer in the MSI descriptor.

The other UAF related to iommugetdomainfordev() will be addressed in patch "iommu: Make iommudmaprepare_msi() into a generic operation" by using the IOMMU group mutex.