CVE-2026-45904 - Vulnerability Details

- powerpc/eeh: fix recursive pci_lock_rescan_remove locking in EEH event handling

Description

In the Linux kernel, the following vulnerability has been resolved:

powerpc/eeh: fix recursive pci_lock_rescan_remove locking in EEH event handling

The recent commit 1010b4c012b0 ("powerpc/eeh: Make EEH driver device
hotplug safe") restructured the EEH driver to improve synchronization
with the PCI hotplug layer.

However, it inadvertently moved pci_lock_rescan_remove() outside its
intended scope in eeh_handle_normal_event(), leading to broken PCI
error reporting and improper EEH event triggering. Specifically,
eeh_handle_normal_event() acquired pci_lock_rescan_remove() before
calling eeh_pe_bus_get(), but eeh_pe_bus_get() itself attempts to
acquire the same lock internally, causing nested locking and disrupting
normal EEH event handling paths.

This patch adds a boolean parameter do_lock to _eeh_pe_bus_get(),
with two public wrappers:
eeh_pe_bus_get() with locking enabled.
eeh_pe_bus_get_nolock() that skips locking.

Callers that already hold pci_lock_rescan_remove() now use
eeh_pe_bus_get_nolock() to avoid recursive lock acquisition.

Additionally, pci_lock_rescan_remove() calls are restored to the correct
position—after eeh_pe_bus_get() and immediately before iterating affected
PEs and devices. This ensures EEH-triggered PCI removes occur under proper
bus rescan locking without recursive lock contention.

The eeh_pe_loc_get() function has been split into two functions:
eeh_pe_loc_get(struct eeh_pe *pe) which retrieves the loc for given PE.
eeh_pe_loc_get_bus(struct pci_bus *bus) which retrieves the location
code for given bus.

This resolves lockdep warnings such as:
<snip>
[ 84.964298] [ T928] ============================================
[ 84.964304] [ T928] WARNING: possible recursive locking detected
[ 84.964311] [ T928] 6.18.0-rc3 #51 Not tainted
[ 84.964315] [ T928] --------------------------------------------
[ 84.964320] [ T928] eehd/928 is trying to acquire lock:
[ 84.964324] [ T928] c000000003b29d58 (pci_rescan_remove_lock){+.+.}-{3:3}, at: pci_lock_rescan_remove+0x28/0x40
[ 84.964342] [ T928]
but task is already holding lock:
[ 84.964347] [ T928] c000000003b29d58 (pci_rescan_remove_lock){+.+.}-{3:3}, at: pci_lock_rescan_remove+0x28/0x40
[ 84.964357] [ T928]
other info that might help us debug this:
[ 84.964363] [ T928] Possible unsafe locking scenario:

[ 84.964367] [ T928] CPU0
[ 84.964370] [ T928] ----
[ 84.964373] [ T928] lock(pci_rescan_remove_lock);
[ 84.964378] [ T928] lock(pci_rescan_remove_lock);
[ 84.964383] [ T928]
*** DEADLOCK ***

[ 84.964388] [ T928] May be due to missing lock nesting notation

[ 84.964393] [ T928] 1 lock held by eehd/928:
[ 84.964397] [ T928] #0: c000000003b29d58 (pci_rescan_remove_lock){+.+.}-{3:3}, at: pci_lock_rescan_remove+0x28/0x40
[ 84.964408] [ T928]
stack backtrace:
[ 84.964414] [ T928] CPU: 2 UID: 0 PID: 928 Comm: eehd Not tainted 6.18.0-rc3 #51 VOLUNTARY
[ 84.964417] [ T928] Hardware name: IBM,9080-HEX POWER10 (architected) 0x800200 0xf000006 of:IBM,FW1060.00 (NH1060_022) hv:phyp pSeries
[ 84.964419] [ T928] Call Trace:
[ 84.964420] [ T928] [c0000011a7157990] [c000000001705de4] dump_stack_lvl+0xc8/0x130 (unreliable)
[ 84.964424] [ T928] [c0000011a71579d0] [c0000000002f66e0] print_deadlock_bug+0x430/0x440
[ 84.964428] [ T928] [c0000011a7157a70] [c0000000002fd0c0] __lock_acquire+0x1530/0x2d80
[ 84.964431] [ T928] [c0000011a7157ba0] [c0000000002fea54] lock_acquire+0x144/0x410
[ 84.964433] [ T928] [c0000011a7157cb0] [c0000011a7157cb0] __mutex_lock+0xf4/0x1050
[ 84.964436] [ T928] [c0000011a7157e00] [c000000000de21d8] pci_lock_rescan_remove+0x28/0x40
[ 84.964439] [ T928] [c0000011a7157e20] [c00000000004ed98] eeh_pe_bus_get+0x48/0xc0
[ 84.964442] [ T928] [c0000011a7157e50] [c00000
---truncated---

Published: 2026-05-27

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability stems from recursive acquisition of the pci_lock_rescan_remove lock during EEH event handling in the PowerPC Linux kernel. When the lock is held by eeh_handle_normal_event and eeh_pe_bus_get() attempts to acquire the same lock again, the kernel triggers a recursive locking scenario that can result in deadlock or improper PCI error reporting. The outcome is a potential loss of bus rescan functionality, mis‑reported EEH events, and an availability degradation that could lead to system instability or a kernel panic. This is a classic concurrency flaw, primarily impacting system reliability rather than confidentiality or integrity.

Affected Systems

The issue affects Linux kernel builds for PowerPC architectures. The exact version range is not specified in the data; the fix was integrated in commit 1010b4c012b0 around kernel version 6.18. Systems running earlier kernel releases that include the EEH driver without this patch are susceptible.

Risk and Exploitability

The CVSS score is not present, and the EPSS metric is unavailable, indicating that the exploitation probability is uncertain. The vulnerability has not been listed in the CISA KEV catalog, suggesting no known widespread exploitation yet. Nevertheless, because the flaw comes from a recursive lock that can cause a deadlock, a local attacker or one who can control PCI hotplug events could trigger instability. Attack conditions require a kernel mode context and the ability to provoke an EEH event, so remote exploitation is unlikely but local privilege escalation or a trusted user could leverage the bug to destabilize the system.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`502f08831a9afb72dc98a56ae6504da43e93b250`	affected	< 89810e2d80281d42f855fac813786758ee16e323
`f56e004b781719d8fdf6c9619b15caf2579bc1f2`	affected	< 788dd28fd49610d6047cbb15dbf1186afffdfbaf
`59c6d3d81d42bf543c90597b4f38c53d6874c5a1`	affected	< f49faa4a64f8ac0e38983e606075b25dfcfc9ad4
`a426e8a6ae161f51888585b065db0f8f93ab2e16`	affected	< 87a1f93986aa1500b85aeff16b0b71c29ea116ea
`d2c60a8a387e9fcc28447ef36c03f8e49fd052a6`	affected	< f8b16d5764ee1e78c1ef333017ad383ffe76fcdc
`1010b4c012b0d78dfb9d3132b49aa2ef024a07a7`	affected	< 6e6561231c6cfc32c5631aeecc0928ff2b14265c
`1010b4c012b0d78dfb9d3132b49aa2ef024a07a7`	affected	< b85ee287bfe52c6b2d9b41758b5e0d08679d5b39
`1010b4c012b0d78dfb9d3132b49aa2ef024a07a7`	affected	< 815a8d2feb5615ae7f0b5befd206af0b0160614c
`d42bbd8f30ac38b1ce54715bf08ec3dac18d6b25`	affected	—
`19d5036e7ad766cf212aebec23b9f1d7924a62bc`	affected	—
`5.10.241`	affected	< 5.10.252
`5.15.190`	affected	< 5.15.202
`6.1.148`	affected	< 6.1.165
`6.6.102`	affected	< 6.6.128
`6.12.42`	affected	< 6.12.75
`6.15.10`	affected	< 6.16
`6.16.1`	affected	< 6.17

Linux

affected

Version	Status	Constraints
`6.17`	affected	—
`0`	unaffected	< 6.17
`5.10.252`	unaffected	≤ 5.10.*
`5.15.202`	unaffected	≤ 5.15.*
`6.1.165`	unaffected	≤ 6.1.*
`6.6.128`	unaffected	≤ 6.6.*
`6.12.75`	unaffected	≤ 6.12.*
`6.18.14`	unaffected	≤ 6.18.*
`6.19.4`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[502f08831a9afb72dc98a56ae6504da43e93b250,89810e2d80281d42f855fac813786758ee16e323)`	affected	code_commit	—
`[f56e004b781719d8fdf6c9619b15caf2579bc1f2,788dd28fd49610d6047cbb15dbf1186afffdfbaf)`	affected	code_commit	—
`[59c6d3d81d42bf543c90597b4f38c53d6874c5a1,f49faa4a64f8ac0e38983e606075b25dfcfc9ad4)`	affected	code_commit	—
`[a426e8a6ae161f51888585b065db0f8f93ab2e16,87a1f93986aa1500b85aeff16b0b71c29ea116ea)`	affected	code_commit	—
`[d2c60a8a387e9fcc28447ef36c03f8e49fd052a6,f8b16d5764ee1e78c1ef333017ad383ffe76fcdc)`	affected	code_commit	—
`[1010b4c012b0d78dfb9d3132b49aa2ef024a07a7,6e6561231c6cfc32c5631aeecc0928ff2b14265c)`	affected	code_commit	—
`[1010b4c012b0d78dfb9d3132b49aa2ef024a07a7,b85ee287bfe52c6b2d9b41758b5e0d08679d5b39)`	affected	code_commit	—
`[1010b4c012b0d78dfb9d3132b49aa2ef024a07a7,815a8d2feb5615ae7f0b5befd206af0b0160614c)`	affected	code_commit	—
`1010b4c012b0d78dfb9d3132b49aa2ef024a07a7`	affected	code_commit	—
`d42bbd8f30ac38b1ce54715bf08ec3dac18d6b25`	affected	code_commit	—
`19d5036e7ad766cf212aebec23b9f1d7924a62bc`	affected	code_commit	—
`[5.10.241,5.10.252)`	affected	semver	—
`[5.15.190,5.15.202)`	affected	semver	—
`[6.1.148,6.1.165)`	affected	semver	—
`[6.6.102,6.6.128)`	affected	semver	—
`[6.12.42,6.12.75)`	affected	semver	—
`[6.15.10,6.16)`	affected	semver	—
`[6.16.1,6.17)`	affected	semver	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.17`	affected	generic	—
`[0,6.17)`	unaffected	generic	—
`[5.10.252,5.10.*]`	unaffected	generic	—
`[5.15.202,5.15.*]`	unaffected	generic	—
`[6.1.165,6.1.*]`	unaffected	generic	—
`[6.6.128,6.6.*]`	unaffected	generic	—
`[6.12.75,6.12.*]`	unaffected	generic	—
`[6.18.14,6.18.*]`	unaffected	generic	—
`[6.19.4,6.19.*]`	unaffected	generic	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a version that includes commit 1010b4c012b0, such as the latest 6.18.x release or any branch that integrates this patch.
If a direct kernel upgrade is not feasible, apply the patch from the referenced commit to the current kernel source tree and rebuild the kernel, ensuring the patch is applied cleanly.
After applying the fix, enable lockdep and reboot the system to verify that lockdep no longer reports recursive locking around pci_lock_rescan_remove; monitor system logs for any persistent EEH or PCI hotplug warnings.
As a temporary mitigant, disable PCI hotplug or disable EEH handling on devices that are not required for operation to avoid triggering the recursive lock scenario.
Restart affected services or the entire system after verification to ensure that the kernel state is stable.

Generated by OpenCVE AI on May 27, 2026 at 16:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/6e6561231c6cfc32c5631aeecc0928ff2b14265c
https://git.kernel.org/stable/c/788dd28fd49610d6047cbb15dbf1186afffdfbaf
https://git.kernel.org/stable/c/815a8d2feb5615ae7f0b5befd206af0b0160614c
https://git.kernel.org/stable/c/87a1f93986aa1500b85aeff16b0b71c29ea116ea
https://git.kernel.org/stable/c/89810e2d80281d42f855fac813786758ee16e323
https://git.kernel.org/stable/c/b85ee287bfe52c6b2d9b41758b5e0d08679d5b39
https://git.kernel.org/stable/c/f49faa4a64f8ac0e38983e606075b25dfcfc9ad4
https://git.kernel.org/stable/c/f8b16d5764ee1e78c1ef333017ad383ffe76fcdc

History

Wed, 27 May 2026 17:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-1060 CWE-824

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: powerpc/eeh: fix recursive pci_lock_rescan_remove locking in EEH event handling The recent commit 1010b4c012b0 ("powerpc/eeh: Make EEH driver device hotplug safe") restructured the EEH driver to improve synchronization with the PCI hotplug layer. However, it inadvertently moved pci_lock_rescan_remove() outside its intended scope in eeh_handle_normal_event(), leading to broken PCI error reporting and improper EEH event triggering. Specifically, eeh_handle_normal_event() acquired pci_lock_rescan_remove() before calling eeh_pe_bus_get(), but eeh_pe_bus_get() itself attempts to acquire the same lock internally, causing nested locking and disrupting normal EEH event handling paths. This patch adds a boolean parameter do_lock to _eeh_pe_bus_get(), with two public wrappers: eeh_pe_bus_get() with locking enabled. eeh_pe_bus_get_nolock() that skips locking. Callers that already hold pci_lock_rescan_remove() now use eeh_pe_bus_get_nolock() to avoid recursive lock acquisition. Additionally, pci_lock_rescan_remove() calls are restored to the correct position—after eeh_pe_bus_get() and immediately before iterating affected PEs and devices. This ensures EEH-triggered PCI removes occur under proper bus rescan locking without recursive lock contention. The eeh_pe_loc_get() function has been split into two functions: eeh_pe_loc_get(struct eeh_pe pe) which retrieves the loc for given PE. eeh_pe_loc_get_bus(struct pci_bus bus) which retrieves the location code for given bus. This resolves lockdep warnings such as: <snip> [ 84.964298] [ T928] ============================================ [ 84.964304] [ T928] WARNING: possible recursive locking detected [ 84.964311] [ T928] 6.18.0-rc3 #51 Not tainted [ 84.964315] [ T928] -------------------------------------------- [ 84.964320] [ T928] eehd/928 is trying to acquire lock: [ 84.964324] [ T928] c000000003b29d58 (pci_rescan_remove_lock){+.+.}-{3:3}, at: pci_lock_rescan_remove+0x28/0x40 [ 84.964342] [ T928] but task is already holding lock: [ 84.964347] [ T928] c000000003b29d58 (pci_rescan_remove_lock){+.+.}-{3:3}, at: pci_lock_rescan_remove+0x28/0x40 [ 84.964357] [ T928] other info that might help us debug this: [ 84.964363] [ T928] Possible unsafe locking scenario: [ 84.964367] [ T928] CPU0 [ 84.964370] [ T928] ---- [ 84.964373] [ T928] lock(pci_rescan_remove_lock); [ 84.964378] [ T928] lock(pci_rescan_remove_lock); [ 84.964383] [ T928] * DEADLOCK * [ 84.964388] [ T928] May be due to missing lock nesting notation [ 84.964393] [ T928] 1 lock held by eehd/928: [ 84.964397] [ T928] #0: c000000003b29d58 (pci_rescan_remove_lock){+.+.}-{3:3}, at: pci_lock_rescan_remove+0x28/0x40 [ 84.964408] [ T928] stack backtrace: [ 84.964414] [ T928] CPU: 2 UID: 0 PID: 928 Comm: eehd Not tainted 6.18.0-rc3 #51 VOLUNTARY [ 84.964417] [ T928] Hardware name: IBM,9080-HEX POWER10 (architected) 0x800200 0xf000006 of:IBM,FW1060.00 (NH1060_022) hv:phyp pSeries [ 84.964419] [ T928] Call Trace: [ 84.964420] [ T928] [c0000011a7157990] [c000000001705de4] dump_stack_lvl+0xc8/0x130 (unreliable) [ 84.964424] [ T928] [c0000011a71579d0] [c0000000002f66e0] print_deadlock_bug+0x430/0x440 [ 84.964428] [ T928] [c0000011a7157a70] [c0000000002fd0c0] __lock_acquire+0x1530/0x2d80 [ 84.964431] [ T928] [c0000011a7157ba0] [c0000000002fea54] lock_acquire+0x144/0x410 [ 84.964433] [ T928] [c0000011a7157cb0] [c0000011a7157cb0] __mutex_lock+0xf4/0x1050 [ 84.964436] [ T928] [c0000011a7157e00] [c000000000de21d8] pci_lock_rescan_remove+0x28/0x40 [ 84.964439] [ T928] [c0000011a7157e20] [c00000000004ed98] eeh_pe_bus_get+0x48/0xc0 [ 84.964442] [ T928] [c0000011a7157e50] [c00000 ---truncated---
Title		powerpc/eeh: fix recursive pci_lock_rescan_remove locking in EEH event handling
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/6e6561231c6cfc32c5631aeecc0928ff2b14265c https://git.kernel.org/stable/c/788dd28fd49610d6047cbb15dbf1186afffdfbaf https://git.kernel.org/stable/c/815a8d2feb5615ae7f0b5befd206af0b0160614c https://git.kernel.org/stable/c/87a1f93986aa1500b85aeff16b0b71c29ea116ea https://git.kernel.org/stable/c/89810e2d80281d42f855fac813786758ee16e323 https://git.kernel.org/stable/c/b85ee287bfe52c6b2d9b41758b5e0d08679d5b39 https://git.kernel.org/stable/c/f49faa4a64f8ac0e38983e606075b25dfcfc9ad4 https://git.kernel.org/stable/c/f8b16d5764ee1e78c1ef333017ad383ffe76fcdc

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:17:12.504Z

Updated: 2026-05-27T12:17:12.504Z

Reserved: 2026-05-13T15:03:33.084Z

Link: CVE-2026-45904

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:04.820

Modified: 2026-05-27T14:48:31.480

Link: CVE-2026-45904

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-27T20:00:05Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object