CVE-2026-45904 (GCVE-0-2026-45904)
Vulnerability from cvelistv5
Published
2026-05-27 12:17
Modified
2026-05-27 12:17
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
powerpc/eeh: fix recursive pci_lock_rescan_remove locking in EEH event handling
The recent commit 1010b4c012b0 ("powerpc/eeh: Make EEH driver device
hotplug safe") restructured the EEH driver to improve synchronization
with the PCI hotplug layer.
However, it inadvertently moved pci_lock_rescan_remove() outside its
intended scope in eeh_handle_normal_event(), leading to broken PCI
error reporting and improper EEH event triggering. Specifically,
eeh_handle_normal_event() acquired pci_lock_rescan_remove() before
calling eeh_pe_bus_get(), but eeh_pe_bus_get() itself attempts to
acquire the same lock internally, causing nested locking and disrupting
normal EEH event handling paths.
This patch adds a boolean parameter do_lock to _eeh_pe_bus_get(),
with two public wrappers:
eeh_pe_bus_get() with locking enabled.
eeh_pe_bus_get_nolock() that skips locking.
Callers that already hold pci_lock_rescan_remove() now use
eeh_pe_bus_get_nolock() to avoid recursive lock acquisition.
Additionally, pci_lock_rescan_remove() calls are restored to the correct
position—after eeh_pe_bus_get() and immediately before iterating affected
PEs and devices. This ensures EEH-triggered PCI removes occur under proper
bus rescan locking without recursive lock contention.
The eeh_pe_loc_get() function has been split into two functions:
eeh_pe_loc_get(struct eeh_pe *pe) which retrieves the loc for given PE.
eeh_pe_loc_get_bus(struct pci_bus *bus) which retrieves the location
code for given bus.
This resolves lockdep warnings such as:
<snip>
[ 84.964298] [ T928] ============================================
[ 84.964304] [ T928] WARNING: possible recursive locking detected
[ 84.964311] [ T928] 6.18.0-rc3 #51 Not tainted
[ 84.964315] [ T928] --------------------------------------------
[ 84.964320] [ T928] eehd/928 is trying to acquire lock:
[ 84.964324] [ T928] c000000003b29d58 (pci_rescan_remove_lock){+.+.}-{3:3}, at: pci_lock_rescan_remove+0x28/0x40
[ 84.964342] [ T928]
but task is already holding lock:
[ 84.964347] [ T928] c000000003b29d58 (pci_rescan_remove_lock){+.+.}-{3:3}, at: pci_lock_rescan_remove+0x28/0x40
[ 84.964357] [ T928]
other info that might help us debug this:
[ 84.964363] [ T928] Possible unsafe locking scenario:
[ 84.964367] [ T928] CPU0
[ 84.964370] [ T928] ----
[ 84.964373] [ T928] lock(pci_rescan_remove_lock);
[ 84.964378] [ T928] lock(pci_rescan_remove_lock);
[ 84.964383] [ T928]
*** DEADLOCK ***
[ 84.964388] [ T928] May be due to missing lock nesting notation
[ 84.964393] [ T928] 1 lock held by eehd/928:
[ 84.964397] [ T928] #0: c000000003b29d58 (pci_rescan_remove_lock){+.+.}-{3:3}, at: pci_lock_rescan_remove+0x28/0x40
[ 84.964408] [ T928]
stack backtrace:
[ 84.964414] [ T928] CPU: 2 UID: 0 PID: 928 Comm: eehd Not tainted 6.18.0-rc3 #51 VOLUNTARY
[ 84.964417] [ T928] Hardware name: IBM,9080-HEX POWER10 (architected) 0x800200 0xf000006 of:IBM,FW1060.00 (NH1060_022) hv:phyp pSeries
[ 84.964419] [ T928] Call Trace:
[ 84.964420] [ T928] [c0000011a7157990] [c000000001705de4] dump_stack_lvl+0xc8/0x130 (unreliable)
[ 84.964424] [ T928] [c0000011a71579d0] [c0000000002f66e0] print_deadlock_bug+0x430/0x440
[ 84.964428] [ T928] [c0000011a7157a70] [c0000000002fd0c0] __lock_acquire+0x1530/0x2d80
[ 84.964431] [ T928] [c0000011a7157ba0] [c0000000002fea54] lock_acquire+0x144/0x410
[ 84.964433] [ T928] [c0000011a7157cb0] [c0000011a7157cb0] __mutex_lock+0xf4/0x1050
[ 84.964436] [ T928] [c0000011a7157e00] [c000000000de21d8] pci_lock_rescan_remove+0x28/0x40
[ 84.964439] [ T928] [c0000011a7157e20] [c00000000004ed98] eeh_pe_bus_get+0x48/0xc0
[ 84.964442] [ T928] [c0000011a7157e50] [c00000
---truncated---
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 502f08831a9afb72dc98a56ae6504da43e93b250 Version: f56e004b781719d8fdf6c9619b15caf2579bc1f2 Version: 59c6d3d81d42bf543c90597b4f38c53d6874c5a1 Version: a426e8a6ae161f51888585b065db0f8f93ab2e16 Version: d2c60a8a387e9fcc28447ef36c03f8e49fd052a6 Version: 1010b4c012b0d78dfb9d3132b49aa2ef024a07a7 Version: 1010b4c012b0d78dfb9d3132b49aa2ef024a07a7 Version: 1010b4c012b0d78dfb9d3132b49aa2ef024a07a7 Version: d42bbd8f30ac38b1ce54715bf08ec3dac18d6b25 Version: 19d5036e7ad766cf212aebec23b9f1d7924a62bc Version: 5.10.241 ≤ Version: 5.15.190 ≤ Version: 6.1.148 ≤ Version: 6.6.102 ≤ Version: 6.12.42 ≤ Version: 6.15.10 ≤ Version: 6.16.1 ≤ |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/powerpc/include/asm/eeh.h",
"arch/powerpc/kernel/eeh_driver.c",
"arch/powerpc/kernel/eeh_pe.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "89810e2d80281d42f855fac813786758ee16e323",
"status": "affected",
"version": "502f08831a9afb72dc98a56ae6504da43e93b250",
"versionType": "git"
},
{
"lessThan": "788dd28fd49610d6047cbb15dbf1186afffdfbaf",
"status": "affected",
"version": "f56e004b781719d8fdf6c9619b15caf2579bc1f2",
"versionType": "git"
},
{
"lessThan": "f49faa4a64f8ac0e38983e606075b25dfcfc9ad4",
"status": "affected",
"version": "59c6d3d81d42bf543c90597b4f38c53d6874c5a1",
"versionType": "git"
},
{
"lessThan": "87a1f93986aa1500b85aeff16b0b71c29ea116ea",
"status": "affected",
"version": "a426e8a6ae161f51888585b065db0f8f93ab2e16",
"versionType": "git"
},
{
"lessThan": "f8b16d5764ee1e78c1ef333017ad383ffe76fcdc",
"status": "affected",
"version": "d2c60a8a387e9fcc28447ef36c03f8e49fd052a6",
"versionType": "git"
},
{
"lessThan": "6e6561231c6cfc32c5631aeecc0928ff2b14265c",
"status": "affected",
"version": "1010b4c012b0d78dfb9d3132b49aa2ef024a07a7",
"versionType": "git"
},
{
"lessThan": "b85ee287bfe52c6b2d9b41758b5e0d08679d5b39",
"status": "affected",
"version": "1010b4c012b0d78dfb9d3132b49aa2ef024a07a7",
"versionType": "git"
},
{
"lessThan": "815a8d2feb5615ae7f0b5befd206af0b0160614c",
"status": "affected",
"version": "1010b4c012b0d78dfb9d3132b49aa2ef024a07a7",
"versionType": "git"
},
{
"status": "affected",
"version": "d42bbd8f30ac38b1ce54715bf08ec3dac18d6b25",
"versionType": "git"
},
{
"status": "affected",
"version": "19d5036e7ad766cf212aebec23b9f1d7924a62bc",
"versionType": "git"
},
{
"lessThan": "5.10.252",
"status": "affected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThan": "5.15.202",
"status": "affected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThan": "6.1.165",
"status": "affected",
"version": "6.1.148",
"versionType": "semver"
},
{
"lessThan": "6.6.128",
"status": "affected",
"version": "6.6.102",
"versionType": "semver"
},
{
"lessThan": "6.12.75",
"status": "affected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThan": "6.16",
"status": "affected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThan": "6.17",
"status": "affected",
"version": "6.16.1",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/powerpc/include/asm/eeh.h",
"arch/powerpc/kernel/eeh_driver.c",
"arch/powerpc/kernel/eeh_pe.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.17"
},
{
"lessThan": "6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.252",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.202",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.252",
"versionStartIncluding": "5.10.241",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.202",
"versionStartIncluding": "5.15.190",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.165",
"versionStartIncluding": "6.1.148",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "6.6.102",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "6.12.42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.14",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.4",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.15.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.16.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/eeh: fix recursive pci_lock_rescan_remove locking in EEH event handling\n\nThe recent commit 1010b4c012b0 (\"powerpc/eeh: Make EEH driver device\nhotplug safe\") restructured the EEH driver to improve synchronization\nwith the PCI hotplug layer.\n\nHowever, it inadvertently moved pci_lock_rescan_remove() outside its\nintended scope in eeh_handle_normal_event(), leading to broken PCI\nerror reporting and improper EEH event triggering. Specifically,\neeh_handle_normal_event() acquired pci_lock_rescan_remove() before\ncalling eeh_pe_bus_get(), but eeh_pe_bus_get() itself attempts to\nacquire the same lock internally, causing nested locking and disrupting\nnormal EEH event handling paths.\n\nThis patch adds a boolean parameter do_lock to _eeh_pe_bus_get(),\nwith two public wrappers:\n eeh_pe_bus_get() with locking enabled.\n eeh_pe_bus_get_nolock() that skips locking.\n\nCallers that already hold pci_lock_rescan_remove() now use\neeh_pe_bus_get_nolock() to avoid recursive lock acquisition.\n\nAdditionally, pci_lock_rescan_remove() calls are restored to the correct\nposition\u2014after eeh_pe_bus_get() and immediately before iterating affected\nPEs and devices. This ensures EEH-triggered PCI removes occur under proper\nbus rescan locking without recursive lock contention.\n\nThe eeh_pe_loc_get() function has been split into two functions:\n eeh_pe_loc_get(struct eeh_pe *pe) which retrieves the loc for given PE.\n eeh_pe_loc_get_bus(struct pci_bus *bus) which retrieves the location\n code for given bus.\n\nThis resolves lockdep warnings such as:\n\u003csnip\u003e\n[ 84.964298] [ T928] ============================================\n[ 84.964304] [ T928] WARNING: possible recursive locking detected\n[ 84.964311] [ T928] 6.18.0-rc3 #51 Not tainted\n[ 84.964315] [ T928] --------------------------------------------\n[ 84.964320] [ T928] eehd/928 is trying to acquire lock:\n[ 84.964324] [ T928] c000000003b29d58 (pci_rescan_remove_lock){+.+.}-{3:3}, at: pci_lock_rescan_remove+0x28/0x40\n[ 84.964342] [ T928]\n but task is already holding lock:\n[ 84.964347] [ T928] c000000003b29d58 (pci_rescan_remove_lock){+.+.}-{3:3}, at: pci_lock_rescan_remove+0x28/0x40\n[ 84.964357] [ T928]\n other info that might help us debug this:\n[ 84.964363] [ T928] Possible unsafe locking scenario:\n\n[ 84.964367] [ T928] CPU0\n[ 84.964370] [ T928] ----\n[ 84.964373] [ T928] lock(pci_rescan_remove_lock);\n[ 84.964378] [ T928] lock(pci_rescan_remove_lock);\n[ 84.964383] [ T928]\n *** DEADLOCK ***\n\n[ 84.964388] [ T928] May be due to missing lock nesting notation\n\n[ 84.964393] [ T928] 1 lock held by eehd/928:\n[ 84.964397] [ T928] #0: c000000003b29d58 (pci_rescan_remove_lock){+.+.}-{3:3}, at: pci_lock_rescan_remove+0x28/0x40\n[ 84.964408] [ T928]\n stack backtrace:\n[ 84.964414] [ T928] CPU: 2 UID: 0 PID: 928 Comm: eehd Not tainted 6.18.0-rc3 #51 VOLUNTARY\n[ 84.964417] [ T928] Hardware name: IBM,9080-HEX POWER10 (architected) 0x800200 0xf000006 of:IBM,FW1060.00 (NH1060_022) hv:phyp pSeries\n[ 84.964419] [ T928] Call Trace:\n[ 84.964420] [ T928] [c0000011a7157990] [c000000001705de4] dump_stack_lvl+0xc8/0x130 (unreliable)\n[ 84.964424] [ T928] [c0000011a71579d0] [c0000000002f66e0] print_deadlock_bug+0x430/0x440\n[ 84.964428] [ T928] [c0000011a7157a70] [c0000000002fd0c0] __lock_acquire+0x1530/0x2d80\n[ 84.964431] [ T928] [c0000011a7157ba0] [c0000000002fea54] lock_acquire+0x144/0x410\n[ 84.964433] [ T928] [c0000011a7157cb0] [c0000011a7157cb0] __mutex_lock+0xf4/0x1050\n[ 84.964436] [ T928] [c0000011a7157e00] [c000000000de21d8] pci_lock_rescan_remove+0x28/0x40\n[ 84.964439] [ T928] [c0000011a7157e20] [c00000000004ed98] eeh_pe_bus_get+0x48/0xc0\n[ 84.964442] [ T928] [c0000011a7157e50] [c00000\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T12:17:12.504Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/89810e2d80281d42f855fac813786758ee16e323"
},
{
"url": "https://git.kernel.org/stable/c/788dd28fd49610d6047cbb15dbf1186afffdfbaf"
},
{
"url": "https://git.kernel.org/stable/c/f49faa4a64f8ac0e38983e606075b25dfcfc9ad4"
},
{
"url": "https://git.kernel.org/stable/c/87a1f93986aa1500b85aeff16b0b71c29ea116ea"
},
{
"url": "https://git.kernel.org/stable/c/f8b16d5764ee1e78c1ef333017ad383ffe76fcdc"
},
{
"url": "https://git.kernel.org/stable/c/6e6561231c6cfc32c5631aeecc0928ff2b14265c"
},
{
"url": "https://git.kernel.org/stable/c/b85ee287bfe52c6b2d9b41758b5e0d08679d5b39"
},
{
"url": "https://git.kernel.org/stable/c/815a8d2feb5615ae7f0b5befd206af0b0160614c"
}
],
"title": "powerpc/eeh: fix recursive pci_lock_rescan_remove locking in EEH event handling",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-45904",
"datePublished": "2026-05-27T12:17:12.504Z",
"dateReserved": "2026-05-13T15:03:33.084Z",
"dateUpdated": "2026-05-27T12:17:12.504Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…