Description
In the Linux kernel, the following vulnerability has been resolved:

spi: spidev: fix lock inversion between spi_lock and buf_lock

The spidev driver previously used two mutexes, spi_lock and buf_lock,
but acquired them in different orders depending on the code path:

write()/read(): buf_lock -> spi_lock
ioctl(): spi_lock -> buf_lock

This AB-BA locking pattern triggers lockdep warnings and can
cause real deadlocks:

WARNING: possible circular locking dependency detected
spidev_ioctl() -> mutex_lock(&spidev->buf_lock)
spidev_sync_write() -> mutex_lock(&spidev->spi_lock)
*** DEADLOCK ***

The issue is reproducible with a simple userspace program that
performs write() and SPI_IOC_WR_MAX_SPEED_HZ ioctl() calls from
separate threads on the same spidev file descriptor.

Fix this by simplifying the locking model and removing the lock
inversion entirely. spidev_sync() no longer performs any locking,
and all callers serialize access using spi_lock.

buf_lock is removed since its functionality is fully covered by
spi_lock, eliminating the possibility of lock ordering issues.

This removes the lock inversion and prevents deadlocks without
changing userspace ABI or behaviour.
Published: 2026-05-08
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The spidev driver in the Linux kernel used two mutexes, spi_lock and buf_lock, that were acquired in inconsistent orders depending on the operation path; write or read operations locked buf_lock first and then spi_lock, while ioctl paths took spi_lock before buf_lock. This AB‑BA ordering can trigger lockdep warnings and result in a real deadlock, halting SPI operations and potentially freezing processes that rely on the device. The issue is observable with a simple userspace program that performs concurrent write() and an SPI_IOC_WR_MAX_SPEED_HZ ioctl on the same file descriptor from separate threads.

Affected Systems

All Linux kernel installations that include the spidev driver and have not applied the fix are affected. No specific kernel version range is given in the advisory, so any kernel in use is potentially vulnerable until it is upgraded to the patched release. The spidev interface remains part of the official Linux kernel source tree for all distributions.

Risk and Exploitability

The vulnerability requires the ability to open the /dev/spidev* device node, which normally requires root privileges or belonging to the appropriate group. Based on the description, it is inferred that the attacker would need these permissions to trigger the deadlock. An attacker could cause a denial of service by performing concurrent I/O operations from multiple threads on the same device descriptor, halting SPI peripheral access. The CVSS score of 5.5 indicates moderate severity, and the weakness maps to CWE‑413 (Inverted Locking Pattern) and CWE‑667. The EPSS score of < 1% indicates an extremely low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The patch eliminates the second mutex and serializes access with spi_lock, removing the lock inversion problem entirely; once the kernel is updated, the risk is mitigated.

Generated by OpenCVE AI on May 15, 2026 at 19:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a release that includes the spidev lockfix patch. This is the definitive remedy.
  • If an update is not possible, serialize all spidev accesses by ensuring that write/read and ioctl operations on the same device file descriptor are not performed concurrently from separate threads; using separate file descriptors per thread is a workaround.
  • Restrict the permissions on /dev/spidev* device nodes so that only trusted users or services can access them, minimizing the attack surface.

Generated by OpenCVE AI on May 15, 2026 at 19:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-667
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*

Sat, 09 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-413
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Fri, 08 May 2026 14:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: spi: spidev: fix lock inversion between spi_lock and buf_lock The spidev driver previously used two mutexes, spi_lock and buf_lock, but acquired them in different orders depending on the code path: write()/read(): buf_lock -> spi_lock ioctl(): spi_lock -> buf_lock This AB-BA locking pattern triggers lockdep warnings and can cause real deadlocks: WARNING: possible circular locking dependency detected spidev_ioctl() -> mutex_lock(&spidev->buf_lock) spidev_sync_write() -> mutex_lock(&spidev->spi_lock) *** DEADLOCK *** The issue is reproducible with a simple userspace program that performs write() and SPI_IOC_WR_MAX_SPEED_HZ ioctl() calls from separate threads on the same spidev file descriptor. Fix this by simplifying the locking model and removing the lock inversion entirely. spidev_sync() no longer performs any locking, and all callers serialize access using spi_lock. buf_lock is removed since its functionality is fully covered by spi_lock, eliminating the possibility of lock ordering issues. This removes the lock inversion and prevents deadlocks without changing userspace ABI or behaviour.
Title spi: spidev: fix lock inversion between spi_lock and buf_lock
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:22:15.833Z

Reserved: 2026-05-01T14:12:56.001Z

Link: CVE-2026-43319

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-08T14:16:40.480

Modified: 2026-05-15T18:21:48.240

Link: CVE-2026-43319

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43319 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T20:00:07Z

Weaknesses