Home

Description

In the Linux kernel, the following vulnerability has been resolved: iommu/io-pgtable-arm: fix size_t signedness bug in unmap path __arm_lpae_unmap() returns size_t but was returning -ENOENT (negative error code) when encountering an unmapped PTE. Since size_t is unsigned, -ENOENT (typically -2) becomes a huge positive value (0xFFFFFFFFFFFFFFFE on 64-bit systems). This corrupted value propagates through the call chain: __arm_lpae_unmap() returns -ENOENT as size_t -> arm_lpae_unmap_pages() returns it -> __iommu_unmap() adds it to iova address -> iommu_pgsize() triggers BUG_ON due to corrupted iova This can cause IOVA address overflow in __iommu_unmap() loop and trigger BUG_ON in iommu_pgsize() from invalid address alignment. Fix by returning 0 instead of -ENOENT. The WARN_ON already signals the error condition, and returning 0 (meaning "nothing unmapped") is the correct semantic for size_t return type. This matches the behavior of other io-pgtable implementations (io-pgtable-arm-v7s, io-pgtable-dart) which return 0 on error conditions.

PUBLISHED Reserved 2026-01-13 | Published 2026-02-04 | Updated 2026-02-09 | Assigner Linux

Product status

Default status
unaffected

3318f7b5cefbff96b1bb49584ac38d2c9997a830 (git) before 41ec6988547819756fb65e94fc24f3e0dddf84ac
affected

3318f7b5cefbff96b1bb49584ac38d2c9997a830 (git) before 374e7af67d9d9d6103c2cfc8eb32abfecf3a2fd8
affected

Default status
affected

6.16
affected

Any version before 6.16
unaffected

6.18.8 (semver)
unaffected

6.19 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/41ec6988547819756fb65e94fc24f3e0dddf84ac

git.kernel.org/...c/374e7af67d9d9d6103c2cfc8eb32abfecf3a2fd8

cve.org (CVE-2026-23067)

nvd.nist.gov (CVE-2026-23067)

Download JSON