CVE-2025-40172

Root

Cause

In the Linux kernel's accel/qaic driver, the find_and_map_user_pages() function returns 0 without allocating a scatter-gather table (sgt) or populating the dma_xfer struct when it encounters a DMA transfer request with a length of 0. This can happen if a user submits a zero-sized address-length pair (ALP) or if the device sends a continuation request after all bytes have already been transferred (where resources->xferred_dma_size equals the requested size) [description].

Exploitation

An attacker with the ability to submit DMA xfer requests to the QAIC driver — either from userspace (by providing a zero-length field) or via crafted device commands — can trigger this code path. No special privileges beyond the ability to interact with the QAIC device are required; the flaw is reachable without authentication if the device is accessible [description].

Impact

When find_and_map_user_pages() returns 0 early, the subsequent sgt field remains uninitialized. The subsequent call to encode_addr_size_pairs() dereferences this pointer, leading to a general protection fault (GPF). This GPF can crash the kernel, causing a denial of service for service for the entire system [description].

Mitigation

The fix, already committed to the stable kernel tree, changes the behavior to return -EINVAL when the remaining transfer size is zero, preventing the invalid memory access [1][2]. Users are advised to apply the latest stable kernel updates that include this patch.