Description
In the Linux kernel, the following vulnerability has been resolved:

PCI: Fix pci_slot_trylock() error handling

Commit a4e772898f8b ("PCI: Add missing bridge lock to pci_bus_lock()")
delegates the bridge device's pci_dev_trylock() to pci_bus_trylock() in
pci_slot_trylock(), but it forgets to remove the corresponding
pci_dev_unlock() when pci_bus_trylock() fails.

Before a4e772898f8b, the code did:

if (!pci_dev_trylock(dev)) /* <- lock bridge device */
goto unlock;
if (dev->subordinate) {
if (!pci_bus_trylock(dev->subordinate)) {
pci_dev_unlock(dev); /* <- unlock bridge device */
goto unlock;
}
}

After a4e772898f8b the bridge-device lock is no longer taken, but the
pci_dev_unlock(dev) on the failure path was left in place, leading to the
bug.

This yields one of two errors:

1. A warning that the lock is being unlocked when no one holds it.
2. An incorrect unlock of a lock that belongs to another thread.

Fix it by removing the now-redundant pci_dev_unlock(dev) on the failure
path.

[Same patch later posted by Keith at
https://patch.msgid.link/20260116184150.3013258-1-kbusch@meta.com]
Published: 2026-05-06
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The kernel patch a4e772898f8b introduced a bug in pci_slot_trylock that removes the unlock of a bridge device when a nested bus lock acquisition fails. The legacy code would unlock the bridge device on failure, but the new code leaves an unintended pci_dev_unlock in place. This mismatch can lead to two kinds of errors: a warning that a lock is being released without being held, or an incorrect release of a lock owned by another thread. The result is corrupted lock state that can cause kernel crashes, data corruption, or denial of service.

Affected Systems

All Linux kernel installations where the buggy pci_slot_trylock implementation is present are affected. The CVE lists only the Linux vendor and provides no precise version range. Any kernel version older than the commit a4e772898f8b is potentially vulnerable until the code that removes the redundant unlock is applied.

Risk and Exploitability

The CVSS score and EPSS are not provided, but the KEV status indicates the vulnerability is not listed in CISA KEV. According to the description, exploitation would require triggering the faulting code path with sufficient privileges, for example by loading a malicious kernel module or driver that invokes pci_slot_trylock failures. The likely attack vector is local privileged code execution; this inference is based on the need for kernel interaction to produce the erroneous unlock. No exploits are currently documented. Although the likelihood of exploitation remains low without an off‑the‑shelf exploit, the potential impact of kernel instability warrants timely remediation.

Generated by OpenCVE AI on May 6, 2026 at 16:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a release that contains the commit a4e772898f8b or later.
  • If a kernel upgrade cannot be applied immediately, manually patch the kernel source to remove the pci_dev_unlock on the failure path, ensuring proper lock handling.
  • As a temporary mitigation, disable PCI hotplug or other mechanisms that exercise the buggy code path if they are unnecessary in your environment.

Generated by OpenCVE AI on May 6, 2026 at 16:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 17:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Wed, 06 May 2026 12:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: PCI: Fix pci_slot_trylock() error handling Commit a4e772898f8b ("PCI: Add missing bridge lock to pci_bus_lock()") delegates the bridge device's pci_dev_trylock() to pci_bus_trylock() in pci_slot_trylock(), but it forgets to remove the corresponding pci_dev_unlock() when pci_bus_trylock() fails. Before a4e772898f8b, the code did: if (!pci_dev_trylock(dev)) /* <- lock bridge device */ goto unlock; if (dev->subordinate) { if (!pci_bus_trylock(dev->subordinate)) { pci_dev_unlock(dev); /* <- unlock bridge device */ goto unlock; } } After a4e772898f8b the bridge-device lock is no longer taken, but the pci_dev_unlock(dev) on the failure path was left in place, leading to the bug. This yields one of two errors: 1. A warning that the lock is being unlocked when no one holds it. 2. An incorrect unlock of a lock that belongs to another thread. Fix it by removing the now-redundant pci_dev_unlock(dev) on the failure path. [Same patch later posted by Keith at https://patch.msgid.link/20260116184150.3013258-1-kbusch@meta.com]
Title PCI: Fix pci_slot_trylock() error handling
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-06T11:28:14.423Z

Reserved: 2026-05-01T14:12:55.993Z

Link: CVE-2026-43211

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-06T12:16:40.527

Modified: 2026-05-06T13:07:51.607

Link: CVE-2026-43211

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T16:45:07Z

Weaknesses