Fixed
Created: Nov 12, 2025
Updated: Nov 25, 2025
Resolved Date: Nov 24, 2025
Found In Version: 10.25.33.1
Fix Version: 10.25.33.3
Severity: Standard
Applicable for: Wind River Linux LTS 25
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:[EOL][EOL]accel/qaic: Treat remaining == 0 as error in find_and_map_user_pages()[EOL][EOL]Currently, if find_and_map_user_pages() takes a DMA xfer request from the[EOL]user with a length field set to 0, or in a rare case, the host receives[EOL]QAIC_TRANS_DMA_XFER_CONT from the device where resources->xferred_dma_size[EOL]is equal to the requested transaction size, the function will return 0[EOL]before allocating an sgt or setting the fields of the dma_xfer struct.[EOL]In that case, encode_addr_size_pairs() will try to access the sgt which[EOL]will lead to a general protection fault.[EOL][EOL]Return an EINVAL in case the user provides a zero-sized ALP, or the device[EOL]requests continuation after all of the bytes have been transferred.
