Home

Description

In the Linux kernel, the following vulnerability has been resolved: Revert "PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV" This reverts commit 05703271c3cd ("PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV"), which causes a deadlock by recursively taking pci_rescan_remove_lock when sriov_del_vfs() is called as part of pci_stop_and_remove_bus_device(). For example with the following sequence of commands: $ echo <NUM> > /sys/bus/pci/devices/<pf>/sriov_numvfs $ echo 1 > /sys/bus/pci/devices/<pf>/remove A trimmed trace of the deadlock on a mlx5 device is as below: zsh/5715 is trying to acquire lock: 000002597926ef50 (pci_rescan_remove_lock){+.+.}-{3:3}, at: sriov_disable+0x34/0x140 but task is already holding lock: 000002597926ef50 (pci_rescan_remove_lock){+.+.}-{3:3}, at: pci_stop_and_remove_bus_device_locked+0x24/0x80 ... Call Trace: [<00000259778c4f90>] dump_stack_lvl+0xc0/0x110 [<00000259779c844e>] print_deadlock_bug+0x31e/0x330 [<00000259779c1908>] __lock_acquire+0x16c8/0x32f0 [<00000259779bffac>] lock_acquire+0x14c/0x350 [<00000259789643a6>] __mutex_lock_common+0xe6/0x1520 [<000002597896413c>] mutex_lock_nested+0x3c/0x50 [<00000259784a07e4>] sriov_disable+0x34/0x140 [<00000258f7d6dd80>] mlx5_sriov_disable+0x50/0x80 [mlx5_core] [<00000258f7d5745e>] remove_one+0x5e/0xf0 [mlx5_core] [<00000259784857fc>] pci_device_remove+0x3c/0xa0 [<000002597851012e>] device_release_driver_internal+0x18e/0x280 [<000002597847ae22>] pci_stop_bus_device+0x82/0xa0 [<000002597847afce>] pci_stop_and_remove_bus_device_locked+0x5e/0x80 [<00000259784972c2>] remove_store+0x72/0x90 [<0000025977e6661a>] kernfs_fop_write_iter+0x15a/0x200 [<0000025977d7241c>] vfs_write+0x24c/0x300 [<0000025977d72696>] ksys_write+0x86/0x110 [<000002597895b61c>] __do_syscall+0x14c/0x400 [<000002597896e0ee>] system_call+0x6e/0x90 This alone is not a complete fix as it restores the issue the cited commit tried to solve. A new fix will be provided as a follow on.

PUBLISHED Reserved 2026-05-01 | Published 2026-05-06 | Updated 2026-05-06 | Assigner Linux

Product status

Default status
unaffected

1e8a80290f964bdbad225221c8a1594c7e01c8fd (git) before f61cdd7e9b67bb8961b0a81bf294b78343e5db05
affected

a645ca21de09e3137cbb224fa6c23cca873a1d01 (git) before 0de341b2365bad430aade0853fe09c2cbe468f59
affected

a24219172456f035d886857e265ca24c85b167c8 (git) before 83651d37474c762920e345a3a0828f975ca4d732
affected

36039348bca77828bf06eae41b8f76e38cd15847 (git) before 639265296fe6ee21b6f00e00ee2bab65f3b07252
affected

53154cd40ccf285f1d1c24367824082061d155bd (git) before d47f27e145f8bd13f3c230da5e3af29225b4a2f7
affected

05703271c3cdcc0f2a8cf6ebdc45892b8ca83520 (git) before 40f67686a5002c0c322fac918406bbc8d9c2ec2f
affected

05703271c3cdcc0f2a8cf6ebdc45892b8ca83520 (git) before 58677783c89681871077f50a7042b0c6380c4fd8
affected

05703271c3cdcc0f2a8cf6ebdc45892b8ca83520 (git) before 2fa119c0e5e528453ebae9e70740e8d2d8c0ed5a
affected

5c1cd7d405e94dc6cb320cc0cc092b74895b6ddf (git)
affected

ee40e5db052d7c6f406fdb95ad639c894c74674c (git)
affected

Default status
affected

6.18
affected

Any version before 6.18
unaffected

5.10.252 (semver)
unaffected

5.15.202 (semver)
unaffected

6.1.165 (semver)
unaffected

6.6.128 (semver)
unaffected

6.12.75 (semver)
unaffected

6.18.16 (semver)
unaffected

6.19.6 (semver)
unaffected

7.0 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/f61cdd7e9b67bb8961b0a81bf294b78343e5db05

git.kernel.org/...c/0de341b2365bad430aade0853fe09c2cbe468f59

git.kernel.org/...c/83651d37474c762920e345a3a0828f975ca4d732

git.kernel.org/...c/639265296fe6ee21b6f00e00ee2bab65f3b07252

git.kernel.org/...c/d47f27e145f8bd13f3c230da5e3af29225b4a2f7

git.kernel.org/...c/40f67686a5002c0c322fac918406bbc8d9c2ec2f

git.kernel.org/...c/58677783c89681871077f50a7042b0c6380c4fd8

git.kernel.org/...c/2fa119c0e5e528453ebae9e70740e8d2d8c0ed5a

cve.org (CVE-2026-43147)

nvd.nist.gov (CVE-2026-43147)

Download JSON