CVE-2026-45904 - Vulnerability Details

- powerpc/eeh: fix recursive pci_lock_rescan_remove locking in EEH event handling

Description

In the Linux kernel, the following vulnerability has been resolved:

powerpc/eeh: fix recursive pci_lock_rescan_remove locking in EEH event handling

The recent commit 1010b4c012b0 ("powerpc/eeh: Make EEH driver device
hotplug safe") restructured the EEH driver to improve synchronization
with the PCI hotplug layer.

However, it inadvertently moved pci_lock_rescan_remove() outside its
intended scope in eeh_handle_normal_event(), leading to broken PCI
error reporting and improper EEH event triggering. Specifically,
eeh_handle_normal_event() acquired pci_lock_rescan_remove() before
calling eeh_pe_bus_get(), but eeh_pe_bus_get() itself attempts to
acquire the same lock internally, causing nested locking and disrupting
normal EEH event handling paths.

This patch adds a boolean parameter do_lock to _eeh_pe_bus_get(),
with two public wrappers:
eeh_pe_bus_get() with locking enabled.
eeh_pe_bus_get_nolock() that skips locking.

Callers that already hold pci_lock_rescan_remove() now use
eeh_pe_bus_get_nolock() to avoid recursive lock acquisition.

Additionally, pci_lock_rescan_remove() calls are restored to the correct
position—after eeh_pe_bus_get() and immediately before iterating affected
PEs and devices. This ensures EEH-triggered PCI removes occur under proper
bus rescan locking without recursive lock contention.

The eeh_pe_loc_get() function has been split into two functions:
eeh_pe_loc_get(struct eeh_pe *pe) which retrieves the loc for given PE.
eeh_pe_loc_get_bus(struct pci_bus *bus) which retrieves the location
code for given bus.

This resolves lockdep warnings such as:
<snip>
[ 84.964298] [ T928] ============================================
[ 84.964304] [ T928] WARNING: possible recursive locking detected
[ 84.964311] [ T928] 6.18.0-rc3 #51 Not tainted
[ 84.964315] [ T928] --------------------------------------------
[ 84.964320] [ T928] eehd/928 is trying to acquire lock:
[ 84.964324] [ T928] c000000003b29d58 (pci_rescan_remove_lock){+.+.}-{3:3}, at: pci_lock_rescan_remove+0x28/0x40
[ 84.964342] [ T928]
but task is already holding lock:
[ 84.964347] [ T928] c000000003b29d58 (pci_rescan_remove_lock){+.+.}-{3:3}, at: pci_lock_rescan_remove+0x28/0x40
[ 84.964357] [ T928]
other info that might help us debug this:
[ 84.964363] [ T928] Possible unsafe locking scenario:

[ 84.964367] [ T928] CPU0
[ 84.964370] [ T928] ----
[ 84.964373] [ T928] lock(pci_rescan_remove_lock);
[ 84.964378] [ T928] lock(pci_rescan_remove_lock);
[ 84.964383] [ T928]
*** DEADLOCK ***

[ 84.964388] [ T928] May be due to missing lock nesting notation

[ 84.964393] [ T928] 1 lock held by eehd/928:
[ 84.964397] [ T928] #0: c000000003b29d58 (pci_rescan_remove_lock){+.+.}-{3:3}, at: pci_lock_rescan_remove+0x28/0x40
[ 84.964408] [ T928]
stack backtrace:
[ 84.964414] [ T928] CPU: 2 UID: 0 PID: 928 Comm: eehd Not tainted 6.18.0-rc3 #51 VOLUNTARY
[ 84.964417] [ T928] Hardware name: IBM,9080-HEX POWER10 (architected) 0x800200 0xf000006 of:IBM,FW1060.00 (NH1060_022) hv:phyp pSeries
[ 84.964419] [ T928] Call Trace:
[ 84.964420] [ T928] [c0000011a7157990] [c000000001705de4] dump_stack_lvl+0xc8/0x130 (unreliable)
[ 84.964424] [ T928] [c0000011a71579d0] [c0000000002f66e0] print_deadlock_bug+0x430/0x440
[ 84.964428] [ T928] [c0000011a7157a70] [c0000000002fd0c0] __lock_acquire+0x1530/0x2d80
[ 84.964431] [ T928] [c0000011a7157ba0] [c0000000002fea54] lock_acquire+0x144/0x410
[ 84.964433] [ T928] [c0000011a7157cb0] [c0000011a7157cb0] __mutex_lock+0xf4/0x1050
[ 84.964436] [ T928] [c0000011a7157e00] [c000000000de21d8] pci_lock_rescan_remove+0x28/0x40
[ 84.964439] [ T928] [c0000011a7157e20] [c00000000004ed98] eeh_pe_bus_get+0x48/0xc0
[ 84.964442] [ T928] [c0000011a7157e50] [c00000
---truncated---

Published: 2026-05-27

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`502f08831a9afb72dc98a56ae6504da43e93b250`	affected	< 89810e2d80281d42f855fac813786758ee16e323
`f56e004b781719d8fdf6c9619b15caf2579bc1f2`	affected	< 788dd28fd49610d6047cbb15dbf1186afffdfbaf
`59c6d3d81d42bf543c90597b4f38c53d6874c5a1`	affected	< f49faa4a64f8ac0e38983e606075b25dfcfc9ad4
`a426e8a6ae161f51888585b065db0f8f93ab2e16`	affected	< 87a1f93986aa1500b85aeff16b0b71c29ea116ea
`d2c60a8a387e9fcc28447ef36c03f8e49fd052a6`	affected	< f8b16d5764ee1e78c1ef333017ad383ffe76fcdc
`1010b4c012b0d78dfb9d3132b49aa2ef024a07a7`	affected	< 6e6561231c6cfc32c5631aeecc0928ff2b14265c
`1010b4c012b0d78dfb9d3132b49aa2ef024a07a7`	affected	< b85ee287bfe52c6b2d9b41758b5e0d08679d5b39
`1010b4c012b0d78dfb9d3132b49aa2ef024a07a7`	affected	< 815a8d2feb5615ae7f0b5befd206af0b0160614c
`d42bbd8f30ac38b1ce54715bf08ec3dac18d6b25`	affected	—
`19d5036e7ad766cf212aebec23b9f1d7924a62bc`	affected	—
`5.10.241`	affected	< 5.10.252
`5.15.190`	affected	< 5.15.202
`6.1.148`	affected	< 6.1.165
`6.6.102`	affected	< 6.6.128
`6.12.42`	affected	< 6.12.75
`6.15.10`	affected	< 6.16
`6.16.1`	affected	< 6.17

Linux

affected

Version	Status	Constraints
`6.17`	affected	—
`0`	unaffected	< 6.17
`5.10.252`	unaffected	≤ 5.10.*
`5.15.202`	unaffected	≤ 5.15.*
`6.1.165`	unaffected	≤ 6.1.*
`6.6.128`	unaffected	≤ 6.6.*
`6.12.75`	unaffected	≤ 6.12.*
`6.18.14`	unaffected	≤ 6.18.*
`6.19.4`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[502f08831a9afb72dc98a56ae6504da43e93b250,89810e2d80281d42f855fac813786758ee16e323)`	affected	code_commit	—
`[f56e004b781719d8fdf6c9619b15caf2579bc1f2,788dd28fd49610d6047cbb15dbf1186afffdfbaf)`	affected	code_commit	—
`[59c6d3d81d42bf543c90597b4f38c53d6874c5a1,f49faa4a64f8ac0e38983e606075b25dfcfc9ad4)`	affected	code_commit	—
`[a426e8a6ae161f51888585b065db0f8f93ab2e16,87a1f93986aa1500b85aeff16b0b71c29ea116ea)`	affected	code_commit	—
`[d2c60a8a387e9fcc28447ef36c03f8e49fd052a6,f8b16d5764ee1e78c1ef333017ad383ffe76fcdc)`	affected	code_commit	—
`[1010b4c012b0d78dfb9d3132b49aa2ef024a07a7,6e6561231c6cfc32c5631aeecc0928ff2b14265c)`	affected	code_commit	—
`[1010b4c012b0d78dfb9d3132b49aa2ef024a07a7,b85ee287bfe52c6b2d9b41758b5e0d08679d5b39)`	affected	code_commit	—
`[1010b4c012b0d78dfb9d3132b49aa2ef024a07a7,815a8d2feb5615ae7f0b5befd206af0b0160614c)`	affected	code_commit	—
`1010b4c012b0d78dfb9d3132b49aa2ef024a07a7`	affected	code_commit	—
`d42bbd8f30ac38b1ce54715bf08ec3dac18d6b25`	affected	code_commit	—
`19d5036e7ad766cf212aebec23b9f1d7924a62bc`	affected	code_commit	—
`[5.10.241,5.10.252)`	affected	semver	—
`[5.15.190,5.15.202)`	affected	semver	—
`[6.1.148,6.1.165)`	affected	semver	—
`[6.6.102,6.6.128)`	affected	semver	—
`[6.12.42,6.12.75)`	affected	semver	—
`[6.15.10,6.16)`	affected	semver	—
`[6.16.1,6.17)`	affected	semver	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.17`	affected	generic	—
`[0,6.17)`	unaffected	generic	—
`[5.10.252,5.10.*]`	unaffected	generic	—
`[5.15.202,5.15.*]`	unaffected	generic	—
`[6.1.165,6.1.*]`	unaffected	generic	—
`[6.6.128,6.6.*]`	unaffected	generic	—
`[6.12.75,6.12.*]`	unaffected	generic	—
`[6.18.14,6.18.*]`	unaffected	generic	—
`[6.19.4,6.19.*]`	unaffected	generic	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4606-1	linux security update

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00156.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/6e6561231c6cfc32c5631aeecc0928ff2b14265c
https://git.kernel.org/stable/c/788dd28fd49610d6047cbb15dbf1186afffdfbaf
https://git.kernel.org/stable/c/815a8d2feb5615ae7f0b5befd206af0b0160614c
https://git.kernel.org/stable/c/87a1f93986aa1500b85aeff16b0b71c29ea116ea
https://git.kernel.org/stable/c/89810e2d80281d42f855fac813786758ee16e323
https://git.kernel.org/stable/c/b85ee287bfe52c6b2d9b41758b5e0d08679d5b39
https://git.kernel.org/stable/c/f49faa4a64f8ac0e38983e606075b25dfcfc9ad4
https://git.kernel.org/stable/c/f8b16d5764ee1e78c1ef333017ad383ffe76fcdc
https://lore.kernel.org/linux-cve-announce/2026052720-CVE-2026-45904-ed69@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-45904
https://www.cve.org/CVERecord?id=CVE-2026-45904

History

Thu, 28 May 2026 16:15:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-1060 CWE-824

Thu, 28 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-833
References		https://lore.kernel.org/linux-cve-announce/2026052720-CVE-2026-45904-ed69@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-45904 https://www.cve.org/CVERecord?id=CVE-2026-45904
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Low`

Wed, 27 May 2026 17:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-1060 CWE-824

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: powerpc/eeh: fix recursive pci_lock_rescan_remove locking in EEH event handling The recent commit 1010b4c012b0 ("powerpc/eeh: Make EEH driver device hotplug safe") restructured the EEH driver to improve synchronization with the PCI hotplug layer. However, it inadvertently moved pci_lock_rescan_remove() outside its intended scope in eeh_handle_normal_event(), leading to broken PCI error reporting and improper EEH event triggering. Specifically, eeh_handle_normal_event() acquired pci_lock_rescan_remove() before calling eeh_pe_bus_get(), but eeh_pe_bus_get() itself attempts to acquire the same lock internally, causing nested locking and disrupting normal EEH event handling paths. This patch adds a boolean parameter do_lock to _eeh_pe_bus_get(), with two public wrappers: eeh_pe_bus_get() with locking enabled. eeh_pe_bus_get_nolock() that skips locking. Callers that already hold pci_lock_rescan_remove() now use eeh_pe_bus_get_nolock() to avoid recursive lock acquisition. Additionally, pci_lock_rescan_remove() calls are restored to the correct position—after eeh_pe_bus_get() and immediately before iterating affected PEs and devices. This ensures EEH-triggered PCI removes occur under proper bus rescan locking without recursive lock contention. The eeh_pe_loc_get() function has been split into two functions: eeh_pe_loc_get(struct eeh_pe pe) which retrieves the loc for given PE. eeh_pe_loc_get_bus(struct pci_bus bus) which retrieves the location code for given bus. This resolves lockdep warnings such as: <snip> [ 84.964298] [ T928] ============================================ [ 84.964304] [ T928] WARNING: possible recursive locking detected [ 84.964311] [ T928] 6.18.0-rc3 #51 Not tainted [ 84.964315] [ T928] -------------------------------------------- [ 84.964320] [ T928] eehd/928 is trying to acquire lock: [ 84.964324] [ T928] c000000003b29d58 (pci_rescan_remove_lock){+.+.}-{3:3}, at: pci_lock_rescan_remove+0x28/0x40 [ 84.964342] [ T928] but task is already holding lock: [ 84.964347] [ T928] c000000003b29d58 (pci_rescan_remove_lock){+.+.}-{3:3}, at: pci_lock_rescan_remove+0x28/0x40 [ 84.964357] [ T928] other info that might help us debug this: [ 84.964363] [ T928] Possible unsafe locking scenario: [ 84.964367] [ T928] CPU0 [ 84.964370] [ T928] ---- [ 84.964373] [ T928] lock(pci_rescan_remove_lock); [ 84.964378] [ T928] lock(pci_rescan_remove_lock); [ 84.964383] [ T928] * DEADLOCK * [ 84.964388] [ T928] May be due to missing lock nesting notation [ 84.964393] [ T928] 1 lock held by eehd/928: [ 84.964397] [ T928] #0: c000000003b29d58 (pci_rescan_remove_lock){+.+.}-{3:3}, at: pci_lock_rescan_remove+0x28/0x40 [ 84.964408] [ T928] stack backtrace: [ 84.964414] [ T928] CPU: 2 UID: 0 PID: 928 Comm: eehd Not tainted 6.18.0-rc3 #51 VOLUNTARY [ 84.964417] [ T928] Hardware name: IBM,9080-HEX POWER10 (architected) 0x800200 0xf000006 of:IBM,FW1060.00 (NH1060_022) hv:phyp pSeries [ 84.964419] [ T928] Call Trace: [ 84.964420] [ T928] [c0000011a7157990] [c000000001705de4] dump_stack_lvl+0xc8/0x130 (unreliable) [ 84.964424] [ T928] [c0000011a71579d0] [c0000000002f66e0] print_deadlock_bug+0x430/0x440 [ 84.964428] [ T928] [c0000011a7157a70] [c0000000002fd0c0] __lock_acquire+0x1530/0x2d80 [ 84.964431] [ T928] [c0000011a7157ba0] [c0000000002fea54] lock_acquire+0x144/0x410 [ 84.964433] [ T928] [c0000011a7157cb0] [c0000011a7157cb0] __mutex_lock+0xf4/0x1050 [ 84.964436] [ T928] [c0000011a7157e00] [c000000000de21d8] pci_lock_rescan_remove+0x28/0x40 [ 84.964439] [ T928] [c0000011a7157e20] [c00000000004ed98] eeh_pe_bus_get+0x48/0xc0 [ 84.964442] [ T928] [c0000011a7157e50] [c00000 ---truncated---
Title		powerpc/eeh: fix recursive pci_lock_rescan_remove locking in EEH event handling
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/6e6561231c6cfc32c5631aeecc0928ff2b14265c https://git.kernel.org/stable/c/788dd28fd49610d6047cbb15dbf1186afffdfbaf https://git.kernel.org/stable/c/815a8d2feb5615ae7f0b5befd206af0b0160614c https://git.kernel.org/stable/c/87a1f93986aa1500b85aeff16b0b71c29ea116ea https://git.kernel.org/stable/c/89810e2d80281d42f855fac813786758ee16e323 https://git.kernel.org/stable/c/b85ee287bfe52c6b2d9b41758b5e0d08679d5b39 https://git.kernel.org/stable/c/f49faa4a64f8ac0e38983e606075b25dfcfc9ad4 https://git.kernel.org/stable/c/f8b16d5764ee1e78c1ef333017ad383ffe76fcdc

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:17:12.504Z

Updated: 2026-05-27T12:17:12.504Z

Reserved: 2026-05-13T15:03:33.084Z

Link: CVE-2026-45904

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:04.820

Modified: 2026-06-17T10:52:42.190

Link: CVE-2026-45904

Redhat

Severity : Low

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-45904 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-28T17:30:15Z

Weaknesses

CWE-833

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object