In the Linux kernel, the following vulnerability has been resolved:

iommu/amd: Bounds-check devid in __rlookup_amd_iommu()

iommu_device_register() walks every device on the PCI bus via
bus_for_each_dev() and calls amd_iommu_probe_device() for each. The
inlined check_device() path computes the device's sbdf, calls
rlookup_amd_iommu() to find the owning IOMMU, and only afterwards
verifies devid <= pci_seg->last_bdf. __rlookup_amd_iommu() indexes
rlookup_table[devid] with no bounds check of its own, so for a PCI
device whose BDF is not described by the IVRS, the lookup reads past
the end of the allocation before the caller's bounds check can run.

This was harmless before commit e874c666b15b ("iommu/amd: Change
rlookup, irq_lookup, and alias to use kvalloc()"): the table was a
zeroed page-order allocation, so the over-read returned NULL and the
caller's NULL check skipped the device. After that commit the table is
a tight kvcalloc() and the over-read returns adjacent slab contents,
which check_device() then dereferences as a struct amd_iommu *,
causing a boot-time GPF.

Seen on Google Compute Engine ct6e VMs, where the virtualized IVRS
describes only the four TPU endpoints 00:04.0-07.0; the gVNIC at
00:08.0 (devid 0x40) indexes 56 bytes past the 456-byte allocation,
into the adjacent kmalloc-512 slab object:

  pci 0000:00:04.0: Adding to iommu group 0
  pci 0000:00:05.0: Adding to iommu group 1
  pci 0000:00:06.0: Adding to iommu group 2
  pci 0000:00:07.0: Adding to iommu group 3
  Oops: general protection fault, probably for non-canonical address 0x3a64695f78746382: 0000 [#1] SMP NOPTI
  CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.18.22 #1
  Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/06/2025
  RIP: 0010:amd_iommu_probe_device+0x54/0x3a0
  Call Trace:
   __iommu_probe_device+0x107/0x520
   probe_iommu_group+0x29/0x50
   bus_for_each_dev+0x7e/0xe0
   iommu_device_register+0xc9/0x240
   iommu_go_to_state+0x9c0/0x1c60
   amd_iommu_init+0x14/0x40
   pci_iommu_init+0x16/0

https://git.kernel.org/stable/c/07d0f496fe7ec5abe3bee7e38be709521567bb33

https://git.kernel.org/stable/c/79db4cbab81f07ce69a93d379ebd40d3709ecfb2

https://git.kernel.org/stable/c/f0a0f01787ecece814414b0665df879b69849d09

[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["drivers/iommu/amd/iommu.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"e874c666b15bcb6280c4e747d8de3879bb728829","lessThan":"f0a0f01787ecece814414b0665df879b69849d09","versionType":"git","status":"affected"},{"version":"e874c666b15bcb6280c4e747d8de3879bb728829","lessThan":"79db4cbab81f07ce69a93d379ebd40d3709ecfb2","versionType":"git","status":"affected"},{"version":"e874c666b15bcb6280c4e747d8de3879bb728829","lessThan":"07d0f496fe7ec5abe3bee7e38be709521567bb33","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["drivers/iommu/amd/iommu.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"6.16","status":"affected"},{"version":"0","lessThan":"6.16","versionType":"semver","status":"unaffected"},{"version":"6.18.33","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"7.0.10","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]