Bug 2492422 (CVE-2026-52952) - CVE-2026-52952 kernel: iommu: Fix WARN_ON in __iommu_group_set_domain_nofail() due to reset
Summary: CVE-2026-52952 kernel: iommu: Fix WARN_ON in __iommu_group_set_domain_nofail(...
Keywords:
Status: NEW
Alias: CVE-2026-52952
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-24 18:11 UTC by OSIDB Bzimport
Modified: 2026-06-26 14:28 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-24 18:11:20 UTC
In the Linux kernel, the following vulnerability has been resolved:

iommu: Fix WARN_ON in __iommu_group_set_domain_nofail() due to reset

In __iommu_group_set_domain_internal(), concurrent domain attachments are
rejected when any device in the group is recovering. This is necessary to
fence concurrent attachments to a multi-device group where devices might
share the same RID due to PCI DMA alias quirks, but triggers the WARN_ON in
__iommu_group_set_domain_nofail().

Other IOMMU_SET_DOMAIN_MUST_SUCCEED callers in detach/teardown paths, such
as __iommu_group_set_core_domain and __iommu_release_dma_ownership, should
not be rejected, as the domain would be freed anyway in these nofail paths
while group->domain is still pointing to it. So pci_dev_reset_iommu_done()
could trigger a UAF when re-attaching group->domain.

Honor the IOMMU_SET_DOMAIN_MUST_SUCCEED flag, allowing the callers through
the group->recovery_cnt fence, so as to update the group->domain pointer.
Instead add a gdev->blocked check in the device iteration loop, to prevent
any concurrent per-device detachment.

Comment 1 Mauro Matteo Cascella 2026-06-26 14:22:06 UTC
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026062434-CVE-2026-52952-0cff@gregkh/T


Note You need to log in before you can comment on or make changes to this bug.