HIGH
accel/amdxdna SVA UAF
CVE-2026-45931
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI6.6MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: accel/amdxdna: Hold mm structure across iommu_sva_unbind_device() Some tests trigger a crash in iommu_sva_unbind_device() due to accessing iommu_mm after the associated mm structure has been freed. Fix this by taking an explicit reference to the mm structure after successfully binding the device, and releasing it only after the device is unbound. This ensures the mm remains valid for the entire SVA bind/unbind lifetime.
02KernelScan AI Analysis
Risk summary
A use-after-free vulnerability in the AMD XDNA accelerator driver can cause a kernel crash, and potentially limited information disclosure or memory corruption, when a process using the accelerator exits while IOMMU SVA operations are in progress. The missing mm_struct reference count allows the mm to be freed deterministically before cleanup, making the bug directly triggerable by an unprivileged local user with access to the accelerator device node.
Vulnerability analysis
The vulnerability occurs because the driver did not maintain a reference count for the mm_struct during IOMMU Shared Virtual Addressing (SVA) operations. When a process opens the DRM device and later exits (or the file descriptor is closed in a different process after the original mm is freed), the mm_struct can be freed while iommu_sva_unbind_device() still accesses it through the dangling pointer. The fix adds explicit mmgrab()/mmdrop() calls to ensure the mm_struct remains valid throughout the entire SVA bind/unbind lifecycle. This is a local vulnerability requiring access to the AMD XDNA accelerator hardware and its device node, but it does not require root privileges.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.18 | 6.18.14 | f6b4c1d98a7b |
| 6.19 | 6.19.4 | f31ccf627813 |
| mainline | 7.0 | a9162439ad79 |