iommu/vt-d: Don't issue ATS Invalidation request when device is disconnected
Summary
| CVE | CVE-2024-26891 |
|---|---|
| State | PUBLISHED |
| Assigner | Linux |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2024-04-17 11:15:10 UTC |
| Updated | 2026-05-12 12:16:24 UTC |
| Description | In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Don't issue ATS Invalidation request when device is disconnected For those endpoint devices connect to system via hotplug capable ports, users could request a hot reset to the device by flapping device's link through setting the slot's link control register, as pciehp_ist() DLLSC interrupt sequence response, pciehp will unload the device driver and then power it off. thus cause an IOMMU device-TLB invalidation (Intel VT-d spec, or ATS Invalidation in PCIe spec r6.1) request for non-existence target device to be sent and deadly loop to retry that request after ITE fault triggered in interrupt context. That would cause following continuous hard lockup warning and system hang [ 4211.433662] pcieport 0000:17:01.0: pciehp: Slot(108): Link Down [ 4211.433664] pcieport 0000:17:01.0: pciehp: Slot(108): Card not present [ 4223.822591] NMI watchdog: Watchdog detected hard LOCKUP on cpu 144 [ 4223.822622] CPU: 144 PID: 1422 Comm: irq/57-pciehp Kdump: loaded Tainted: G S OE kernel version xxxx [ 4223.822623] Hardware name: vendorname xxxx 666-106, BIOS 01.01.02.03.01 05/15/2023 [ 4223.822623] RIP: 0010:qi_submit_sync+0x2c0/0x490 [ 4223.822624] Code: 48 be 00 00 00 00 00 08 00 00 49 85 74 24 20 0f 95 c1 48 8b 57 10 83 c1 04 83 3c 1a 03 0f 84 a2 01 00 00 49 8b 04 24 8b 70 34 <40> f6 c6 1 0 74 17 49 8b 04 24 8b 80 80 00 00 00 89 c2 d3 fa 41 39 [ 4223.822624] RSP: 0018:ffffc4f074f0bbb8 EFLAGS: 00000093 [ 4223.822625] RAX: ffffc4f040059000 RBX: 0000000000000014 RCX: 0000000000000005 [ 4223.822625] RDX: ffff9f3841315800 RSI: 0000000000000000 RDI: ffff9f38401a8340 [ 4223.822625] RBP: ffff9f38401a8340 R08: ffffc4f074f0bc00 R09: 0000000000000000 [ 4223.822626] R10: 0000000000000010 R11: 0000000000000018 R12: ffff9f384005e200 [ 4223.822626] R13: 0000000000000004 R14: 0000000000000046 R15: 0000000000000004 [ 4223.822626] FS: 0000000000000000(0000) GS:ffffa237ae400000(0000) knlGS:0000000000000000 [ 4223.822627] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 4223.822627] CR2: 00007ffe86515d80 CR3: 000002fd3000a001 CR4: 0000000000770ee0 [ 4223.822627] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 4223.822628] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 [ 4223.822628] PKRU: 55555554 [ 4223.822628] Call Trace: [ 4223.822628] qi_flush_dev_iotlb+0xb1/0xd0 [ 4223.822628] __dmar_remove_one_dev_info+0x224/0x250 [ 4223.822629] dmar_remove_one_dev_info+0x3e/0x50 [ 4223.822629] intel_iommu_release_device+0x1f/0x30 [ 4223.822629] iommu_release_device+0x33/0x60 [ 4223.822629] iommu_bus_notifier+0x7f/0x90 [ 4223.822630] blocking_notifier_call_chain+0x60/0x90 [ 4223.822630] device_del+0x2e5/0x420 [ 4223.822630] pci_remove_bus_device+0x70/0x110 [ 4223.822630] pciehp_unconfigure_device+0x7c/0x130 [ 4223.822631] pciehp_disable_slot+0x6b/0x100 [ 4223.822631] pciehp_handle_presence_or_link_change+0xd8/0x320 [ 4223.822631] pciehp_ist+0x176/0x180 [ 4223.822631] ? irq_finalize_oneshot.part.50+0x110/0x110 [ 4223.822632] irq_thread_fn+0x19/0x50 [ 4223.822632] irq_thread+0x104/0x190 [ 4223.822632] ? irq_forced_thread_fn+0x90/0x90 [ 4223.822632] ? irq_thread_check_affinity+0xe0/0xe0 [ 4223.822633] kthread+0x114/0x130 [ 4223.822633] ? __kthread_cancel_work+0x40/0x40 [ 4223.822633] ret_from_fork+0x1f/0x30 [ 4223.822633] Kernel panic - not syncing: Hard LOCKUP [ 4223.822634] CPU: 144 PID: 1422 Comm: irq/57-pciehp Kdump: loaded Tainted: G S OE kernel version xxxx [ 4223.822634] Hardware name: vendorname xxxx 666-106, BIOS 01.01.02.03.01 05/15/2023 [ 4223.822634] Call Trace: [ 4223.822634] <NMI> [ 4223.822635] dump_stack+0x6d/0x88 [ 4223.822635] panic+0x101/0x2d0 [ 4223.822635] ? ret_from_fork+0x11/0x30 [ 4223.822635] nmi_panic.cold.14+0xc/0xc [ 4223.822636] watchdog_overflow_callback.cold.8+0x6d/0x81 [ 4223.822636] __perf_event_overflow+0x4f/0xf0 [ 4223.822636] handle_pmi_common ---truncated--- |
Risk And Classification
Primary CVSS: v3.1 5.5 MEDIUM from [email protected]
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Problem Types: NVD-CWE-Other
CVSS v3.1 Breakdown
Attack Vector
LocalAttack Complexity
LowPrivileges Required
LowUser Interaction
NoneScope
UnchangedConfidentiality
NoneIntegrity
NoneAvailability
HighCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Linux | Linux Kernel | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Linux | Linux | affected 6f7db75e1c469057fe7588ed959328ead771ccc7 f873b85ec762c5a6abe94a7ddb31df5d3ba07d85 git | Not specified |
| CNA | Linux | Linux | affected 6f7db75e1c469057fe7588ed959328ead771ccc7 d70f1c85113cd8c2aa8373f491ca5d1b22ec0554 git | Not specified |
| CNA | Linux | Linux | affected 6f7db75e1c469057fe7588ed959328ead771ccc7 34a7b30f56d30114bf4d436e4dc793afe326fbcf git | Not specified |
| CNA | Linux | Linux | affected 6f7db75e1c469057fe7588ed959328ead771ccc7 2b74b2a92e524d7c8dec8e02e95ecf18b667c062 git | Not specified |
| CNA | Linux | Linux | affected 6f7db75e1c469057fe7588ed959328ead771ccc7 c04f2780919f20e2cc4846764221f5e802555868 git | Not specified |
| CNA | Linux | Linux | affected 6f7db75e1c469057fe7588ed959328ead771ccc7 025bc6b41e020aeb1e71f84ae3ffce945026de05 git | Not specified |
| CNA | Linux | Linux | affected 6f7db75e1c469057fe7588ed959328ead771ccc7 4fc82cd907ac075648789cc3a00877778aa1838b git | Not specified |
| CNA | Linux | Linux | affected 5.0 | Not specified |
| CNA | Linux | Linux | unaffected 5.0 semver | Not specified |
| CNA | Linux | Linux | unaffected 5.10.214 5.10.* semver | Not specified |
| CNA | Linux | Linux | unaffected 5.15.153 5.15.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.1.83 6.1.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.6.23 6.6.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.7.11 6.7.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.8.2 6.8.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.9 * original_commit_for_fix | Not specified |
| ADP | Siemens | SIMATIC S7-1500 TM MFP - GNU/Linux Subsystem | affected * custom | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| git.kernel.org/stable/c/f873b85ec762c5a6abe94a7ddb31df5d3ba07d85 | af854a3a-2127-422b-91ae-364da2661108 | git.kernel.org | Patch |
| git.kernel.org/stable/c/34a7b30f56d30114bf4d436e4dc793afe326fbcf | af854a3a-2127-422b-91ae-364da2661108 | git.kernel.org | Patch |
| lists.debian.org/debian-lts-announce/2024/06/msg00017.html | af854a3a-2127-422b-91ae-364da2661108 | lists.debian.org | Mailing List |
| git.kernel.org/stable/c/025bc6b41e020aeb1e71f84ae3ffce945026de05 | af854a3a-2127-422b-91ae-364da2661108 | git.kernel.org | Patch |
| cert-portal.siemens.com/productcert/html/ssa-265688.html | 0b142b55-0307-4c5a-b3c9-f314f3fb7c5e | cert-portal.siemens.com | |
| git.kernel.org/stable/c/c04f2780919f20e2cc4846764221f5e802555868 | af854a3a-2127-422b-91ae-364da2661108 | git.kernel.org | Patch |
| git.kernel.org/stable/c/d70f1c85113cd8c2aa8373f491ca5d1b22ec0554 | af854a3a-2127-422b-91ae-364da2661108 | git.kernel.org | Patch |
| git.kernel.org/stable/c/4fc82cd907ac075648789cc3a00877778aa1838b | af854a3a-2127-422b-91ae-364da2661108 | git.kernel.org | Patch |
| git.kernel.org/stable/c/2b74b2a92e524d7c8dec8e02e95ecf18b667c062 | af854a3a-2127-422b-91ae-364da2661108 | git.kernel.org | Patch |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.