In the Linux kernel, the following vulnerability has been resolved:
powerpc/iommu: Fix the missing iommugroupput() during platform domain attach
The function spaprtceplatformiommuattachdev() is missing to call iommugroupput() when the domain is already set. This refcount leak shows up with BUGON() during DLPAR remove operation as:
KernelBug: Kernel bug in state 'None': kernel BUG at arch/powerpc/platforms/pseries/iommu.c:100! Oops: Exception in kernel mode, sig: 5 [#1] LE PAGESIZE=64K MMU=Radix SMP NRCPUS=8192 NUMA pSeries <snip> Hardware name: IBM,9080-HEX POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NH1060016) hv:phyp pSeries NIP: c0000000000ff4d4 LR: c0000000000ff4cc CTR: 0000000000000000 REGS: c0000013aed5f840 TRAP: 0700 Tainted: G I (6.8.0-rc3-autotest-g99bd3cb0d12e) MSR: 8000000000029033 <SF,EE,ME,IR,DR,RI,LE> CR: 44002402 XER: 20040000 CFAR: c000000000a0d170 IRQMASK: 0 ... NIP iommureconfignotifier+0x94/0x200 LR iommureconfignotifier+0x8c/0x200 Call Trace: iommureconfignotifier+0x8c/0x200 (unreliable) notifiercallchain+0xb8/0x19c blockingnotifiercallchain+0x64/0x98 ofreconfignotify+0x44/0xdc ofdetachnode+0x78/0xb0 ofdtwrite.part.0+0x86c/0xbb8 procregwrite+0xf4/0x150 vfswrite+0xf8/0x488 ksyswrite+0x84/0x140 systemcallexception+0x138/0x330 systemcallvectoredcommon+0x15c/0x2ec
The patch adds the missing iommugroupput() call.