CVE-2026-52952

In the Linux kernel, the following vulnerability has been resolved:

iommu: Fix WARN ON in iommu group set domain nofail() due to reset

In iommu group set domain internal(), concurrent domain attachments are rejected when any device in the group is recovering. This is necessary to fence concurrent attachments to a multi-device group where devices might share the same RID due to PCI DMA alias quirks, but triggers the WARN ON in iommu group set domain nofail().

Other IOMMU SET DOMAIN MUST SUCCEED callers in detach/teardown paths, such as iommu group set core domain and iommu release dma ownership, should not be rejected, as the domain would be freed anyway in these nofail paths while group->domain is still pointing to it. So pci dev reset iommu done() could trigger a UAF when re-attaching group->domain.

Honor the IOMMU SET DOMAIN MUST SUCCEED flag, allowing the callers through the group->recovery cnt fence, so as to update the group->domain pointer. Instead add a gdev->blocked check in the device iteration loop, to prevent any concurrent per-device detachment.