CVE-2023-54095
Unknown Unknown - Not Provided
Use-After-Free in Linux Kernel powerpc/iommu Notifier Handling Causes Kernel Crash

Publication date: 2025-12-24

Last updated on: 2025-12-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: powerpc/iommu: Fix notifiers being shared by PCI and VIO buses fail_iommu_setup() registers the fail_iommu_bus_notifier struct to both PCI and VIO buses. struct notifier_block is a linked list node, so this causes any notifiers later registered to either bus type to also be registered to the other since they share the same node. This causes issues in (at least) the vgaarb code, which registers a notifier for PCI buses. pci_notify() ends up being called on a vio device, converted with to_pci_dev() even though it's not a PCI device, and finally makes a bad access in vga_arbiter_add_pci_device() as discovered with KASAN: BUG: KASAN: slab-out-of-bounds in vga_arbiter_add_pci_device+0x60/0xe00 Read of size 4 at addr c000000264c26fdc by task swapper/0/1 Call Trace: dump_stack_lvl+0x1bc/0x2b8 (unreliable) print_report+0x3f4/0xc60 kasan_report+0x244/0x698 __asan_load4+0xe8/0x250 vga_arbiter_add_pci_device+0x60/0xe00 pci_notify+0x88/0x444 notifier_call_chain+0x104/0x320 blocking_notifier_call_chain+0xa0/0x140 device_add+0xac8/0x1d30 device_register+0x58/0x80 vio_register_device_node+0x9ac/0xce0 vio_bus_scan_register_devices+0xc4/0x13c __machine_initcall_pseries_vio_device_init+0x94/0xf0 do_one_initcall+0x12c/0xaa8 kernel_init_freeable+0xa48/0xba8 kernel_init+0x64/0x400 ret_from_kernel_thread+0x5c/0x64 Fix this by creating separate notifier_block structs for each bus type. [mpe: Add #ifdef to fix CONFIG_IBMVIO=n build]
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-24
Last Modified
2025-12-24
Generated
2026-05-07
AI Q&A
2025-12-24
EPSS Evaluated
2026-05-05
NVD
CVE-2023-54095
EUVD
EUVD-2023-60350
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability occurs in the Linux kernel's powerpc/iommu code where a notifier structure (fail_iommu_bus_notifier) is incorrectly shared between PCI and VIO buses. Because the notifier_block is a linked list node, sharing it causes notifiers registered for one bus type to also be registered for the other. This leads to the pci_notify() function being called on VIO devices, which are not PCI devices, causing invalid memory access and a kernel crash detected by KASAN. The fix involves creating separate notifier_block structures for each bus type to prevent this cross-registration.


How can this vulnerability impact me? :

This vulnerability can cause kernel crashes due to invalid memory access when the system incorrectly treats VIO devices as PCI devices. This can lead to system instability, potential denial of service, and unpredictable behavior in affected Linux systems running on powerpc architectures with the iommu code path.


What immediate steps should I take to mitigate this vulnerability?

The immediate step to mitigate this vulnerability is to update the Linux kernel to a version where the fix has been applied. The fix involves creating separate notifier_block structs for each bus type to prevent the shared notifier issue causing bad memory access. Applying the official patch or upgrading to a fixed kernel version will resolve the issue.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart