CVE-2026-45904
published 2026-05-27CVE-2026-45904: In the Linux kernel, the following vulnerability has been resolved: powerpc/eeh: fix recursive pci_lock_rescan_remove locking in EEH event handling The recent…
medium5.5
In the Linux kernel, the following vulnerability has been resolved:
powerpc/eeh: fix recursive pci_lock_rescan_remove locking in EEH event handling
The recent commit 1010b4c012b0 ("powerpc/eeh: Make EEH driver device
hotplug safe") restructured the EEH driver to improve synchronization
with the PCI hotplug layer.
However, it inadvertently moved pci_lock_rescan_remove() outside its
intended scope in eeh_handle_normal_event(), leading to broken PCI
error reporting and improper EEH event triggering. Specifically,
eeh_handle_normal_event() acquired pci_lock_rescan_remove() before
calling eeh_pe_bus_get(), but eeh_pe_bus_get() itself attempts to
acquire the same lock internally, causing nested locking and disrupting
normal EEH event handling paths.
This patch adds a boolean parameter do_lock to _eeh_pe_bus_get(),
with two public wrappers:
eeh_pe_bus_get() with locking enabled.
eeh_pe_bus_get_nolock() that skips locking.
Callers that already hold pci_lock_rescan_remove() now use
eeh_pe_bus_get_nolock() to avoid recursive lock acquisition.
Additionally, pci_lock_rescan_remove() calls are restored to the correct
position—after eeh_pe_bus_get() and immediately before iterating affected
PEs and devices. This ensures EEH-triggered PCI removes occur under proper
bus rescan locking without recursive lock contention.
The eeh_pe_loc_get() function has been split into two functions:
eeh_pe_loc_get(struct eeh_pe *pe) which retrieves the loc for given PE.
eeh_pe_loc_get_bus(struct pci_bus *bus) which retrieves the location
code for given bus.
This resolves lockdep warnings such as:
[ 84.964298] [ T928] ============================================
[ 84.964304] [ T928] WARNING: possible recursive locking detected
[ 84.964311] [ T928] 6.18.0-rc3 #51 Not tainted
[ 84.964315] [ T928] --------------------------------------------
[ 84.964320] [ T928] eehd/928 is trying to acquire lock:
[ 84.964324] [ T928] c000000003b29d58 (pci_rescan_remove_lock){+.+.}-{3:3}, at: pci_lock_rescan_r
Affected
19 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| linux | linux | — | — |
| linux | linux | — | — |
| linux | linux | — | — |
| linux | linux | >= 1010b4c012b0d78dfb9d3132b49aa2ef024a07a7 < 6e6561231c6cfc32c5631aeecc0928ff2b14265c | 6e6561231c6cfc32c5631aeecc0928ff2b14265c |
| linux | linux | >= 1010b4c012b0d78dfb9d3132b49aa2ef024a07a7 < b85ee287bfe52c6b2d9b41758b5e0d08679d5b39 | b85ee287bfe52c6b2d9b41758b5e0d08679d5b39 |
| linux | linux | >= 1010b4c012b0d78dfb9d3132b49aa2ef024a07a7 < 815a8d2feb5615ae7f0b5befd206af0b0160614c | 815a8d2feb5615ae7f0b5befd206af0b0160614c |
| linux | linux | >= 5.10.241 < 5.10.252 | 5.10.252 |
| linux | linux | >= 5.15.190 < 5.15.202 | 5.15.202 |
| linux | linux | >= 502f08831a9afb72dc98a56ae6504da43e93b250 < 89810e2d80281d42f855fac813786758ee16e323 | 89810e2d80281d42f855fac813786758ee16e323 |
| linux | linux | >= 59c6d3d81d42bf543c90597b4f38c53d6874c5a1 < f49faa4a64f8ac0e38983e606075b25dfcfc9ad4 | f49faa4a64f8ac0e38983e606075b25dfcfc9ad4 |
| linux | linux | >= 6.1.148 < 6.1.165 | 6.1.165 |
| linux | linux | >= 6.12.42 < 6.12.75 | 6.12.75 |
| linux | linux | >= 6.15.10 < 6.16 | 6.16 |
| linux | linux | >= 6.16.1 < 6.17 | 6.17 |
| linux | linux | >= 6.6.102 < 6.6.128 | 6.6.128 |
| linux | linux | >= a426e8a6ae161f51888585b065db0f8f93ab2e16 < 87a1f93986aa1500b85aeff16b0b71c29ea116ea | 87a1f93986aa1500b85aeff16b0b71c29ea116ea |
| linux | linux | >= d2c60a8a387e9fcc28447ef36c03f8e49fd052a6 < f8b16d5764ee1e78c1ef333017ad383ffe76fcdc | f8b16d5764ee1e78c1ef333017ad383ffe76fcdc |
| linux | linux | >= f56e004b781719d8fdf6c9619b15caf2579bc1f2 < 788dd28fd49610d6047cbb15dbf1186afffdfbaf | 788dd28fd49610d6047cbb15dbf1186afffdfbaf |
| linux | linux_kernel | — | — |