Bug 1222418 (CVE-2024-26709) - VUL-0: CVE-2024-26709: kernel: powerpc/iommu: Fix the missing iommu_group_put() during platform domain attach
Summary: VUL-0: CVE-2024-26709: kernel: powerpc/iommu: Fix the missing iommu_group_put...
Status: RESOLVED FIXED
Alias: CVE-2024-26709
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P5 - None : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/400180/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-26709:5.5:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2024-04-08 06:40 UTC by SMASH SMASH
Modified: 2024-07-01 16:05 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2024-04-08 06:40:21 UTC 
In the Linux kernel, the following vulnerability has been resolved:

powerpc/iommu: Fix the missing iommu_group_put() during platform domain attach

The function spapr_tce_platform_iommu_attach_dev() is missing to call
iommu_group_put() when the domain is already set. This refcount leak
shows up with BUG_ON() during DLPAR remove operation as:

  KernelBug: Kernel bug in state 'None': kernel BUG at arch/powerpc/platforms/pseries/iommu.c:100!
  Oops: Exception in kernel mode, sig: 5 [#1]
  LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=8192 NUMA pSeries
  <snip>
  Hardware name: IBM,9080-HEX POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NH1060_016) hv:phyp pSeries
  NIP:  c0000000000ff4d4 LR: c0000000000ff4cc CTR: 0000000000000000
  REGS: c0000013aed5f840 TRAP: 0700   Tainted: G          I         (6.8.0-rc3-autotest-g99bd3cb0d12e)
  MSR:  8000000000029033 <SF,EE,ME,IR,DR,RI,LE>  CR: 44002402  XER: 20040000
  CFAR: c000000000a0d170 IRQMASK: 0
  ...
  NIP iommu_reconfig_notifier+0x94/0x200
  LR  iommu_reconfig_notifier+0x8c/0x200
  Call Trace:
    iommu_reconfig_notifier+0x8c/0x200 (unreliable)
    notifier_call_chain+0xb8/0x19c
    blocking_notifier_call_chain+0x64/0x98
    of_reconfig_notify+0x44/0xdc
    of_detach_node+0x78/0xb0
    ofdt_write.part.0+0x86c/0xbb8
    proc_reg_write+0xf4/0x150
    vfs_write+0xf8/0x488
    ksys_write+0x84/0x140
    system_call_exception+0x138/0x330
    system_call_vectored_common+0x15c/0x2ec

The patch adds the missing iommu_group_put() call.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-26709
https://www.cve.org/CVERecord?id=CVE-2024-26709
https://git.kernel.org/stable/c/0846dd77c8349ec92ca0079c9c71d130f34cb192
https://git.kernel.org/stable/c/c90fdea9cac9eb419fc266e75d625cb60c8f7f6c
https://bugzilla.redhat.com/show_bug.cgi?id=2273164