Critical Vulnerability Information Vulnerability Type: UAF (Use-After-Free) Affected Component: iommufd Issue Description: - A race condition exists during the file descriptor release process. - does not immediately invoke , but instead queues the file for deferred release. - For iommufd files and iommufd_object, the file holds a reference count to the object, and the object must remain alive as long as the file exists. - When a new object allocation fails and is immediately released, it leads to a UAF condition. Mitigation: - The core code now manages the file lifecycle, and during abort, is called to ensure is invoked before . - If object allocation succeeds, the file holds a user reference count, preventing the iommufd_object from being destroyed. UAF Example: Commit Information: - Author: Jason Gunthorpe - Committer: Greg Kroah-Hartman - Commit Time: 2025-10-02 13:48:40 +0200 - Upstream Commit: 4e034bf045b12852a24d5d33f2451850818ba0c1