{ "threat_severity" : "Low", "public_date" : "2025-10-04T00:00:00Z", "bugzilla" : { "description" : "kernel: iommu/amd: Fix pci device refcount leak in ppr_notifier()", "id" : "2401522", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2401522" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-911", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\niommu/amd: Fix pci device refcount leak in ppr_notifier()\nAs comment of pci_get_domain_bus_and_slot() says, it returns\na pci device with refcount increment, when finish using it,\nthe caller must decrement the reference count by calling\npci_dev_put(). So call it before returning from ppr_notifier()\nto avoid refcount leak.", "A reference counting violation was found in the Linux kernel's AMD IOMMU PPR (Peripheral Page Request) notification handler. When the handler looks up PCI devices using pci_get_domain_bus_and_slot, it receives a reference-counted device pointer but never releases that reference before returning. This creates permanent reference leaks that prevent proper device cleanup, eventually exhausting system resources and causing denial of service." ], "statement" : "The PPR notifier handles page fault requests from IOMMU-managed devices. As documented in the PCI subsystem, pci_get_domain_bus_and_slot increments the reference count on the returned device—this is intentional, ensuring the device doesn't disappear while being used. The caller's responsibility is to decrement that count via pci_dev_put when finished. The ppr_notifier function calls pci_get_domain_bus_and_slot to locate the faulting device, processes the fault, then returns without ever calling pci_dev_put. Each invocation therefore leaks one reference. Over time, these leaked references accumulate on the affected devices. Once a device has outstanding references, the system cannot fully release it even when physically removed or when the driver unloads. Eventually this can exhaust kernel object limits or create situations where stale device objects persist indefinitely. The issue affects AMD IOMMU systems when PPR is enabled.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-11-07T00:00:00Z", "advisory" : "RHSA-2023:6583", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-362.8.1.el9_3" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-11-07T00:00:00Z", "advisory" : "RHSA-2023:6583", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-362.8.1.el9_3" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-50505\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-50505\nhttps://lore.kernel.org/linux-cve-announce/2025100422-CVE-2022-50505-b427@gregkh/T" ], "name" : "CVE-2022-50505", "csaw" : false }