CVE-2025-40172

Currently, if findandmapuserpages() takes a DMA xfer request from the user with a length field set to 0, or in a rare case, the host receives QAICTRANSDMAXFERCONT from the device where resources->xferreddmasize is equal to the requested transaction size, the function will return 0 before allocating an sgt or setting the fields of the dmaxfer struct. In that case, encodeaddrsizepairs() will try to access the sgt which will lead to a general protection fault.

Return an EINVAL in case the user provides a zero-sized ALP, or the device requests continuation after all of the bytes have been transferred.

Database specific

{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40172.json"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

96d3c1cadedb6ae2e8965e19cd12caa244afbd9c

Fixed

48b1d42286bfef7628b1d6c8c28d4e456c90f725

Fixed

551f1dfbcb7f3e6ed07f9d6c8c1c64337fcd0ede

Fixed

1ab9733d14cc9987cc5dcd1f0ad1f416e302e2e6

Fixed

11f08c30a3e4157305ba692f1d44cca5fc9a8fca

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

d410a96e5cb8c1ec7049c83f2edcd8bbfaf5d9b3

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40172.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.5.0

Fixed

6.6.114

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.12.55

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.17.5

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40172.json"