Description
In the Linux kernel, the following vulnerability has been resolved:

Revert "PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV"

This reverts commit 05703271c3cd ("PCI/IOV: Add PCI rescan-remove locking
when enabling/disabling SR-IOV"), which causes a deadlock by recursively
taking pci_rescan_remove_lock when sriov_del_vfs() is called as part of
pci_stop_and_remove_bus_device(). For example with the following sequence
of commands:

$ echo <NUM> > /sys/bus/pci/devices/<pf>/sriov_numvfs
$ echo 1 > /sys/bus/pci/devices/<pf>/remove

A trimmed trace of the deadlock on a mlx5 device is as below:

zsh/5715 is trying to acquire lock:
000002597926ef50 (pci_rescan_remove_lock){+.+.}-{3:3}, at: sriov_disable+0x34/0x140

but task is already holding lock:
000002597926ef50 (pci_rescan_remove_lock){+.+.}-{3:3}, at: pci_stop_and_remove_bus_device_locked+0x24/0x80
...
Call Trace:
[<00000259778c4f90>] dump_stack_lvl+0xc0/0x110
[<00000259779c844e>] print_deadlock_bug+0x31e/0x330
[<00000259779c1908>] __lock_acquire+0x16c8/0x32f0
[<00000259779bffac>] lock_acquire+0x14c/0x350
[<00000259789643a6>] __mutex_lock_common+0xe6/0x1520
[<000002597896413c>] mutex_lock_nested+0x3c/0x50
[<00000259784a07e4>] sriov_disable+0x34/0x140
[<00000258f7d6dd80>] mlx5_sriov_disable+0x50/0x80 [mlx5_core]
[<00000258f7d5745e>] remove_one+0x5e/0xf0 [mlx5_core]
[<00000259784857fc>] pci_device_remove+0x3c/0xa0
[<000002597851012e>] device_release_driver_internal+0x18e/0x280
[<000002597847ae22>] pci_stop_bus_device+0x82/0xa0
[<000002597847afce>] pci_stop_and_remove_bus_device_locked+0x5e/0x80
[<00000259784972c2>] remove_store+0x72/0x90
[<0000025977e6661a>] kernfs_fop_write_iter+0x15a/0x200
[<0000025977d7241c>] vfs_write+0x24c/0x300
[<0000025977d72696>] ksys_write+0x86/0x110
[<000002597895b61c>] __do_syscall+0x14c/0x400
[<000002597896e0ee>] system_call+0x6e/0x90

This alone is not a complete fix as it restores the issue the cited commit
tried to solve. A new fix will be provided as a follow on.
Published: 2026-05-06
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel module responsible for PCI/IOV functionality has a flaw where enabling or disabling SR‑IOV triggers a recursive acquisition of the pci_rescan_remove_lock. This recursive lock acquisition can lead to a deadlock that stalls kernel threads and can cause the system to become unresponsive or trigger a kernel panic. The vulnerability was identified by reverting a previous commit that attempted to add this lock. The likely attack scenario involves a privileged user or a process with direct access to the PCI subsystem executing SR‑IOV configuration commands such as writing to /sys/bus/pci/devices/<pf>/sriov_numvfs or /sys/bus/pci/devices/<pf>/remove. Because these operations involve manipulating PCI device state, the vulnerability requires local or remote access to those control interfaces. The deadlock represents a denial‑of‑service weakness that can result in complete loss of system availability. While there is no direct data‑exfiltration or code‑execution vector, the interruption of kernel operations constitutes a serious impact for production environments relying on SR‑IOV.

Affected Systems

All systems with the Linux kernel that include the PCI/IOV driver path containing the vulnerable lock logic are affected. The CNAs identify the product as "Linux: Linux" and the CPE string indicates the Linux kernel in general. Specific version information is not supplied, so any kernel release that includes the problematic commit (such as those near the current stable series) is potentially impacted. Users should check if the kernel contains commit 05703271c3cd or a newer state where the commit has been reverted.

Risk and Exploitability

No EPSS score is available and the vulnerability is not listed in CISA’s KEV catalog, suggesting limited public exploitation activity to date. The CVSS score is not provided, but the nature of the flaw—causing a deadlock that stops essential kernel services—implies a high severity on the impact scale. Exploitation requires privileged access to the SR‑IOV interface and a configuration scenario that triggers both the lock acquisition in sriov_disable and the concurrent removal path in pci_stop_and_remove_bus_device_locked. Because the flaw manifests during normal kernel operation rather than via a remote attack surface, the risk level is characterized as significant local exploitation potential.

Generated by OpenCVE AI on May 6, 2026 at 13:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that has reverted the problematic commit or includes a subsequent patch that resolves the deadlock.
  • If a newer kernel is not available, limit SR‑IOV configuration to trusted privileged users and avoid rapid enable/disable sequences that could trigger the lock recursion.
  • Monitor system logs for deadlock traces or catastrophic lock failures and apply kernel updates as soon as they become available.

Generated by OpenCVE AI on May 6, 2026 at 13:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 12:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: Revert "PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV" This reverts commit 05703271c3cd ("PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV"), which causes a deadlock by recursively taking pci_rescan_remove_lock when sriov_del_vfs() is called as part of pci_stop_and_remove_bus_device(). For example with the following sequence of commands: $ echo <NUM> > /sys/bus/pci/devices/<pf>/sriov_numvfs $ echo 1 > /sys/bus/pci/devices/<pf>/remove A trimmed trace of the deadlock on a mlx5 device is as below: zsh/5715 is trying to acquire lock: 000002597926ef50 (pci_rescan_remove_lock){+.+.}-{3:3}, at: sriov_disable+0x34/0x140 but task is already holding lock: 000002597926ef50 (pci_rescan_remove_lock){+.+.}-{3:3}, at: pci_stop_and_remove_bus_device_locked+0x24/0x80 ... Call Trace: [<00000259778c4f90>] dump_stack_lvl+0xc0/0x110 [<00000259779c844e>] print_deadlock_bug+0x31e/0x330 [<00000259779c1908>] __lock_acquire+0x16c8/0x32f0 [<00000259779bffac>] lock_acquire+0x14c/0x350 [<00000259789643a6>] __mutex_lock_common+0xe6/0x1520 [<000002597896413c>] mutex_lock_nested+0x3c/0x50 [<00000259784a07e4>] sriov_disable+0x34/0x140 [<00000258f7d6dd80>] mlx5_sriov_disable+0x50/0x80 [mlx5_core] [<00000258f7d5745e>] remove_one+0x5e/0xf0 [mlx5_core] [<00000259784857fc>] pci_device_remove+0x3c/0xa0 [<000002597851012e>] device_release_driver_internal+0x18e/0x280 [<000002597847ae22>] pci_stop_bus_device+0x82/0xa0 [<000002597847afce>] pci_stop_and_remove_bus_device_locked+0x5e/0x80 [<00000259784972c2>] remove_store+0x72/0x90 [<0000025977e6661a>] kernfs_fop_write_iter+0x15a/0x200 [<0000025977d7241c>] vfs_write+0x24c/0x300 [<0000025977d72696>] ksys_write+0x86/0x110 [<000002597895b61c>] __do_syscall+0x14c/0x400 [<000002597896e0ee>] system_call+0x6e/0x90 This alone is not a complete fix as it restores the issue the cited commit tried to solve. A new fix will be provided as a follow on.
Title Revert "PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV"
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-06T11:27:30.235Z

Reserved: 2026-05-01T14:12:55.989Z

Link: CVE-2026-43147

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-06T12:16:32.240

Modified: 2026-05-06T13:07:51.607

Link: CVE-2026-43147

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T16:15:06Z

Weaknesses

No weakness.