CVE-2024-26738

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> powerpc/pseries/iommu: DLPAR add doesn&amp;#39;t completely initialize pci_controller<br /> <br /> When a PCI device is dynamically added, the kernel oopses with a NULL<br /> pointer dereference:<br /> <br /> BUG: Kernel NULL pointer dereference on read at 0x00000030<br /> Faulting instruction address: 0xc0000000006bbe5c<br /> Oops: Kernel access of bad area, sig: 11 [#1]<br /> LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries<br /> Modules linked in: rpadlpar_io rpaphp rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs xsk_diag bonding nft_compat nf_tables nfnetlink rfkill binfmt_misc dm_multipath rpcrdma sunrpc rdma_ucm ib_srpt ib_isert iscsi_target_mod target_core_mod ib_umad ib_iser libiscsi scsi_transport_iscsi ib_ipoib rdma_cm iw_cm ib_cm mlx5_ib ib_uverbs ib_core pseries_rng drm drm_panel_orientation_quirks xfs libcrc32c mlx5_core mlxfw sd_mod t10_pi sg tls ibmvscsi ibmveth scsi_transport_srp vmx_crypto pseries_wdt psample dm_mirror dm_region_hash dm_log dm_mod fuse<br /> CPU: 17 PID: 2685 Comm: drmgr Not tainted 6.7.0-203405+ #66<br /> Hardware name: IBM,9080-HEX POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NH1060_008) hv:phyp pSeries<br /> NIP: c0000000006bbe5c LR: c000000000a13e68 CTR: c0000000000579f8<br /> REGS: c00000009924f240 TRAP: 0300 Not tainted (6.7.0-203405+)<br /> MSR: 8000000000009033 CR: 24002220 XER: 20040006<br /> CFAR: c000000000a13e64 DAR: 0000000000000030 DSISR: 40000000 IRQMASK: 0<br /> ...<br /> NIP sysfs_add_link_to_group+0x34/0x94<br /> LR iommu_device_link+0x5c/0x118<br /> Call Trace:<br /> iommu_init_device+0x26c/0x318 (unreliable)<br /> iommu_device_link+0x5c/0x118<br /> iommu_init_device+0xa8/0x318<br /> iommu_probe_device+0xc0/0x134<br /> iommu_bus_notifier+0x44/0x104<br /> notifier_call_chain+0xb8/0x19c<br /> blocking_notifier_call_chain+0x64/0x98<br /> bus_notify+0x50/0x7c<br /> device_add+0x640/0x918<br /> pci_device_add+0x23c/0x298<br /> of_create_pci_dev+0x400/0x884<br /> of_scan_pci_dev+0x124/0x1b0<br /> __of_scan_bus+0x78/0x18c<br /> pcibios_scan_phb+0x2a4/0x3b0<br /> init_phb_dynamic+0xb8/0x110<br /> dlpar_add_slot+0x170/0x3b8 [rpadlpar_io]<br /> add_slot_store.part.0+0xb4/0x130 [rpadlpar_io]<br /> kobj_attr_store+0x2c/0x48<br /> sysfs_kf_write+0x64/0x78<br /> kernfs_fop_write_iter+0x1b0/0x290<br /> vfs_write+0x350/0x4a0<br /> ksys_write+0x84/0x140<br /> system_call_exception+0x124/0x330<br /> system_call_vectored_common+0x15c/0x2ec<br /> <br /> Commit a940904443e4 ("powerpc/iommu: Add iommu_ops to report capabilities<br /> and allow blocking domains") broke DLPAR add of PCI devices.<br /> <br /> The above added iommu_device structure to pci_controller. During<br /> system boot, PCI devices are discovered and this newly added iommu_device<br /> structure is initialized by a call to iommu_device_register().<br /> <br /> During DLPAR add of a PCI device, a new pci_controller structure is<br /> allocated but there are no calls made to iommu_device_register()<br /> interface.<br /> <br /> Fix is to register the iommu device during DLPAR add as well.