{"id":"CVE-2024-56668","summary":"iommu/vt-d: Fix qi_batch NULL pointer with nested parent domain","details":"In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Fix qi_batch NULL pointer with nested parent domain\n\nThe qi_batch is allocated when assigning cache tag for a domain. While\nfor nested parent domain, it is missed. Hence, when trying to map pages\nto the nested parent, NULL dereference occurred. Also, there is potential\nmemleak since there is no lock around domain-\u003eqi_batch allocation.\n\nTo solve it, add a helper for qi_batch allocation, and call it in both\nthe __cache_tag_assign_domain() and __cache_tag_assign_parent_domain().\n\n  BUG: kernel NULL pointer dereference, address: 0000000000000200\n  #PF: supervisor read access in kernel mode\n  #PF: error_code(0x0000) - not-present page\n  PGD 8104795067 P4D 0\n  Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI\n  CPU: 223 UID: 0 PID: 4357 Comm: qemu-system-x86 Not tainted 6.13.0-rc1-00028-g4b50c3c3b998-dirty #2632\n  Call Trace:\n   ? __die+0x24/0x70\n   ? page_fault_oops+0x80/0x150\n   ? do_user_addr_fault+0x63/0x7b0\n   ? exc_page_fault+0x7c/0x220\n   ? asm_exc_page_fault+0x26/0x30\n   ? cache_tag_flush_range_np+0x13c/0x260\n   intel_iommu_iotlb_sync_map+0x1a/0x30\n   iommu_map+0x61/0xf0\n   batch_to_domain+0x188/0x250\n   iopt_area_fill_domains+0x125/0x320\n   ? rcu_is_watching+0x11/0x50\n   iopt_map_pages+0x63/0x100\n   iopt_map_common.isra.0+0xa7/0x190\n   iopt_map_user_pages+0x6a/0x80\n   iommufd_ioas_map+0xcd/0x1d0\n   iommufd_fops_ioctl+0x118/0x1c0\n   __x64_sys_ioctl+0x93/0xc0\n   do_syscall_64+0x71/0x140\n   entry_SYSCALL_64_after_hwframe+0x76/0x7e","modified":"2026-05-18T05:57:59.779469970Z","published":"2024-12-27T15:06:29.879Z","database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/56xxx/CVE-2024-56668.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/74536f91962d5f6af0a42414773ce61e653c10ee"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ffd774c34774fd4cc0e9cf2976595623a6c3a077"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/56xxx/CVE-2024-56668.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-56668"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"705c1cdf1e73c4c727bbfc8775434e6dd36e8baf"},{"fixed":"ffd774c34774fd4cc0e9cf2976595623a6c3a077"},{"fixed":"74536f91962d5f6af0a42414773ce61e653c10ee"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-56668.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.12.0"},{"fixed":"6.12.6"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-56668.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}