CVE-2023-54095

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> powerpc/iommu: Fix notifiers being shared by PCI and VIO buses<br /> <br /> fail_iommu_setup() registers the fail_iommu_bus_notifier struct to both<br /> PCI and VIO buses. struct notifier_block is a linked list node, so this<br /> causes any notifiers later registered to either bus type to also be<br /> registered to the other since they share the same node.<br /> <br /> This causes issues in (at least) the vgaarb code, which registers a<br /> notifier for PCI buses. pci_notify() ends up being called on a vio<br /> device, converted with to_pci_dev() even though it&amp;#39;s not a PCI device,<br /> and finally makes a bad access in vga_arbiter_add_pci_device() as<br /> discovered with KASAN:<br /> <br /> BUG: KASAN: slab-out-of-bounds in vga_arbiter_add_pci_device+0x60/0xe00<br /> Read of size 4 at addr c000000264c26fdc by task swapper/0/1<br /> <br /> Call Trace:<br /> dump_stack_lvl+0x1bc/0x2b8 (unreliable)<br /> print_report+0x3f4/0xc60<br /> kasan_report+0x244/0x698<br /> __asan_load4+0xe8/0x250<br /> vga_arbiter_add_pci_device+0x60/0xe00<br /> pci_notify+0x88/0x444<br /> notifier_call_chain+0x104/0x320<br /> blocking_notifier_call_chain+0xa0/0x140<br /> device_add+0xac8/0x1d30<br /> device_register+0x58/0x80<br /> vio_register_device_node+0x9ac/0xce0<br /> vio_bus_scan_register_devices+0xc4/0x13c<br /> __machine_initcall_pseries_vio_device_init+0x94/0xf0<br /> do_one_initcall+0x12c/0xaa8<br /> kernel_init_freeable+0xa48/0xba8<br /> kernel_init+0x64/0x400<br /> ret_from_kernel_thread+0x5c/0x64<br /> <br /> Fix this by creating separate notifier_block structs for each bus type.<br /> <br /> [mpe: Add #ifdef to fix CONFIG_IBMVIO=n build]