CVE-2026-31647 (GCVE-0-2026-31647)

Vulnerability from cvelistv5 – Published: 2026-04-24 14:45 – Updated: 2026-04-24 14:45
VLAI?
Title
idpf: fix PREEMPT_RT raw/bh spinlock nesting for async VC handling
Summary
In the Linux kernel, the following vulnerability has been resolved: idpf: fix PREEMPT_RT raw/bh spinlock nesting for async VC handling Switch from using the completion's raw spinlock to a local lock in the idpf_vc_xn struct. The conversion is safe because complete/_all() are called outside the lock and there is no reason to share the completion lock in the current logic. This avoids invalid wait context reported by the kernel due to the async handler taking BH spinlock: [ 805.726977] ============================= [ 805.726991] [ BUG: Invalid wait context ] [ 805.727006] 7.0.0-rc2-net-devq-031026+ #28 Tainted: G S OE [ 805.727026] ----------------------------- [ 805.727038] kworker/u261:0/572 is trying to lock: [ 805.727051] ff190da6a8dbb6a0 (&vport_config->mac_filter_list_lock){+...}-{3:3}, at: idpf_mac_filter_async_handler+0xe9/0x260 [idpf] [ 805.727099] other info that might help us debug this: [ 805.727111] context-{5:5} [ 805.727119] 3 locks held by kworker/u261:0/572: [ 805.727132] #0: ff190da6db3e6148 ((wq_completion)idpf-0000:83:00.0-mbx){+.+.}-{0:0}, at: process_one_work+0x4b5/0x730 [ 805.727163] #1: ff3c6f0a6131fe50 ((work_completion)(&(&adapter->mbx_task)->work)){+.+.}-{0:0}, at: process_one_work+0x1e5/0x730 [ 805.727191] #2: ff190da765190020 (&x->wait#34){+.+.}-{2:2}, at: idpf_recv_mb_msg+0xc8/0x710 [idpf] [ 805.727218] stack backtrace: ... [ 805.727238] Workqueue: idpf-0000:83:00.0-mbx idpf_mbx_task [idpf] [ 805.727247] Call Trace: [ 805.727249] <TASK> [ 805.727251] dump_stack_lvl+0x77/0xb0 [ 805.727259] __lock_acquire+0xb3b/0x2290 [ 805.727268] ? __irq_work_queue_local+0x59/0x130 [ 805.727275] lock_acquire+0xc6/0x2f0 [ 805.727277] ? idpf_mac_filter_async_handler+0xe9/0x260 [idpf] [ 805.727284] ? _printk+0x5b/0x80 [ 805.727290] _raw_spin_lock_bh+0x38/0x50 [ 805.727298] ? idpf_mac_filter_async_handler+0xe9/0x260 [idpf] [ 805.727303] idpf_mac_filter_async_handler+0xe9/0x260 [idpf] [ 805.727310] idpf_recv_mb_msg+0x1c8/0x710 [idpf] [ 805.727317] process_one_work+0x226/0x730 [ 805.727322] worker_thread+0x19e/0x340 [ 805.727325] ? __pfx_worker_thread+0x10/0x10 [ 805.727328] kthread+0xf4/0x130 [ 805.727333] ? __pfx_kthread+0x10/0x10 [ 805.727336] ret_from_fork+0x32c/0x410 [ 805.727345] ? __pfx_kthread+0x10/0x10 [ 805.727347] ret_from_fork_asm+0x1a/0x30 [ 805.727354] </TASK>
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 34c21fa894a1af6166f4284c81d1dc21efed8f38 , < b448529f2f2921c6fe82fd4e985cc7c05cbf02a3 (git)
Affected: 34c21fa894a1af6166f4284c81d1dc21efed8f38 , < e02c974fc331f04b5ba2007d4bc6862df8a43148 (git)
Affected: 34c21fa894a1af6166f4284c81d1dc21efed8f38 , < 3bb632c6b6d8154e9019beda4a43a4b518ee3e8a (git)
Affected: 34c21fa894a1af6166f4284c81d1dc21efed8f38 , < 591478118293c1bd628de330a99eb1eb2ef8d76b (git)
Create a notification for this product.
    Linux Linux Affected: 6.9
Unaffected: 0 , < 6.9 (semver)
Unaffected: 6.12.83 , ≤ 6.12.* (semver)
Unaffected: 6.18.23 , ≤ 6.18.* (semver)
Unaffected: 6.19.13 , ≤ 6.19.* (semver)
Unaffected: 7.0 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/intel/idpf/idpf_virtchnl.c",
            "drivers/net/ethernet/intel/idpf/idpf_virtchnl.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b448529f2f2921c6fe82fd4e985cc7c05cbf02a3",
              "status": "affected",
              "version": "34c21fa894a1af6166f4284c81d1dc21efed8f38",
              "versionType": "git"
            },
            {
              "lessThan": "e02c974fc331f04b5ba2007d4bc6862df8a43148",
              "status": "affected",
              "version": "34c21fa894a1af6166f4284c81d1dc21efed8f38",
              "versionType": "git"
            },
            {
              "lessThan": "3bb632c6b6d8154e9019beda4a43a4b518ee3e8a",
              "status": "affected",
              "version": "34c21fa894a1af6166f4284c81d1dc21efed8f38",
              "versionType": "git"
            },
            {
              "lessThan": "591478118293c1bd628de330a99eb1eb2ef8d76b",
              "status": "affected",
              "version": "34c21fa894a1af6166f4284c81d1dc21efed8f38",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/intel/idpf/idpf_virtchnl.c",
            "drivers/net/ethernet/intel/idpf/idpf_virtchnl.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.9"
            },
            {
              "lessThan": "6.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.83",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.23",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.83",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.23",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.13",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: fix PREEMPT_RT raw/bh spinlock nesting for async VC handling\n\nSwitch from using the completion\u0027s raw spinlock to a local lock in the\nidpf_vc_xn struct. The conversion is safe because complete/_all() are\ncalled outside the lock and there is no reason to share the completion\nlock in the current logic. This avoids invalid wait context reported by\nthe kernel due to the async handler taking BH spinlock:\n\n[  805.726977] =============================\n[  805.726991] [ BUG: Invalid wait context ]\n[  805.727006] 7.0.0-rc2-net-devq-031026+ #28 Tainted: G S         OE\n[  805.727026] -----------------------------\n[  805.727038] kworker/u261:0/572 is trying to lock:\n[  805.727051] ff190da6a8dbb6a0 (\u0026vport_config-\u003emac_filter_list_lock){+...}-{3:3}, at: idpf_mac_filter_async_handler+0xe9/0x260 [idpf]\n[  805.727099] other info that might help us debug this:\n[  805.727111] context-{5:5}\n[  805.727119] 3 locks held by kworker/u261:0/572:\n[  805.727132]  #0: ff190da6db3e6148 ((wq_completion)idpf-0000:83:00.0-mbx){+.+.}-{0:0}, at: process_one_work+0x4b5/0x730\n[  805.727163]  #1: ff3c6f0a6131fe50 ((work_completion)(\u0026(\u0026adapter-\u003embx_task)-\u003ework)){+.+.}-{0:0}, at: process_one_work+0x1e5/0x730\n[  805.727191]  #2: ff190da765190020 (\u0026x-\u003ewait#34){+.+.}-{2:2}, at: idpf_recv_mb_msg+0xc8/0x710 [idpf]\n[  805.727218] stack backtrace:\n...\n[  805.727238] Workqueue: idpf-0000:83:00.0-mbx idpf_mbx_task [idpf]\n[  805.727247] Call Trace:\n[  805.727249]  \u003cTASK\u003e\n[  805.727251]  dump_stack_lvl+0x77/0xb0\n[  805.727259]  __lock_acquire+0xb3b/0x2290\n[  805.727268]  ? __irq_work_queue_local+0x59/0x130\n[  805.727275]  lock_acquire+0xc6/0x2f0\n[  805.727277]  ? idpf_mac_filter_async_handler+0xe9/0x260 [idpf]\n[  805.727284]  ? _printk+0x5b/0x80\n[  805.727290]  _raw_spin_lock_bh+0x38/0x50\n[  805.727298]  ? idpf_mac_filter_async_handler+0xe9/0x260 [idpf]\n[  805.727303]  idpf_mac_filter_async_handler+0xe9/0x260 [idpf]\n[  805.727310]  idpf_recv_mb_msg+0x1c8/0x710 [idpf]\n[  805.727317]  process_one_work+0x226/0x730\n[  805.727322]  worker_thread+0x19e/0x340\n[  805.727325]  ? __pfx_worker_thread+0x10/0x10\n[  805.727328]  kthread+0xf4/0x130\n[  805.727333]  ? __pfx_kthread+0x10/0x10\n[  805.727336]  ret_from_fork+0x32c/0x410\n[  805.727345]  ? __pfx_kthread+0x10/0x10\n[  805.727347]  ret_from_fork_asm+0x1a/0x30\n[  805.727354]  \u003c/TASK\u003e"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-24T14:45:00.734Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b448529f2f2921c6fe82fd4e985cc7c05cbf02a3"
        },
        {
          "url": "https://git.kernel.org/stable/c/e02c974fc331f04b5ba2007d4bc6862df8a43148"
        },
        {
          "url": "https://git.kernel.org/stable/c/3bb632c6b6d8154e9019beda4a43a4b518ee3e8a"
        },
        {
          "url": "https://git.kernel.org/stable/c/591478118293c1bd628de330a99eb1eb2ef8d76b"
        }
      ],
      "title": "idpf: fix PREEMPT_RT raw/bh spinlock nesting for async VC handling",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-31647",
    "datePublished": "2026-04-24T14:45:00.734Z",
    "dateReserved": "2026-03-09T15:48:24.127Z",
    "dateUpdated": "2026-04-24T14:45:00.734Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-31647",
      "date": "2026-04-26",
      "epss": "0.00018",
      "percentile": "0.0462"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-31647\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-04-24T15:16:44.073\",\"lastModified\":\"2026-04-24T17:51:40.810\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nidpf: fix PREEMPT_RT raw/bh spinlock nesting for async VC handling\\n\\nSwitch from using the completion\u0027s raw spinlock to a local lock in the\\nidpf_vc_xn struct. The conversion is safe because complete/_all() are\\ncalled outside the lock and there is no reason to share the completion\\nlock in the current logic. This avoids invalid wait context reported by\\nthe kernel due to the async handler taking BH spinlock:\\n\\n[  805.726977] =============================\\n[  805.726991] [ BUG: Invalid wait context ]\\n[  805.727006] 7.0.0-rc2-net-devq-031026+ #28 Tainted: G S         OE\\n[  805.727026] -----------------------------\\n[  805.727038] kworker/u261:0/572 is trying to lock:\\n[  805.727051] ff190da6a8dbb6a0 (\u0026vport_config-\u003emac_filter_list_lock){+...}-{3:3}, at: idpf_mac_filter_async_handler+0xe9/0x260 [idpf]\\n[  805.727099] other info that might help us debug this:\\n[  805.727111] context-{5:5}\\n[  805.727119] 3 locks held by kworker/u261:0/572:\\n[  805.727132]  #0: ff190da6db3e6148 ((wq_completion)idpf-0000:83:00.0-mbx){+.+.}-{0:0}, at: process_one_work+0x4b5/0x730\\n[  805.727163]  #1: ff3c6f0a6131fe50 ((work_completion)(\u0026(\u0026adapter-\u003embx_task)-\u003ework)){+.+.}-{0:0}, at: process_one_work+0x1e5/0x730\\n[  805.727191]  #2: ff190da765190020 (\u0026x-\u003ewait#34){+.+.}-{2:2}, at: idpf_recv_mb_msg+0xc8/0x710 [idpf]\\n[  805.727218] stack backtrace:\\n...\\n[  805.727238] Workqueue: idpf-0000:83:00.0-mbx idpf_mbx_task [idpf]\\n[  805.727247] Call Trace:\\n[  805.727249]  \u003cTASK\u003e\\n[  805.727251]  dump_stack_lvl+0x77/0xb0\\n[  805.727259]  __lock_acquire+0xb3b/0x2290\\n[  805.727268]  ? __irq_work_queue_local+0x59/0x130\\n[  805.727275]  lock_acquire+0xc6/0x2f0\\n[  805.727277]  ? idpf_mac_filter_async_handler+0xe9/0x260 [idpf]\\n[  805.727284]  ? _printk+0x5b/0x80\\n[  805.727290]  _raw_spin_lock_bh+0x38/0x50\\n[  805.727298]  ? idpf_mac_filter_async_handler+0xe9/0x260 [idpf]\\n[  805.727303]  idpf_mac_filter_async_handler+0xe9/0x260 [idpf]\\n[  805.727310]  idpf_recv_mb_msg+0x1c8/0x710 [idpf]\\n[  805.727317]  process_one_work+0x226/0x730\\n[  805.727322]  worker_thread+0x19e/0x340\\n[  805.727325]  ? __pfx_worker_thread+0x10/0x10\\n[  805.727328]  kthread+0xf4/0x130\\n[  805.727333]  ? __pfx_kthread+0x10/0x10\\n[  805.727336]  ret_from_fork+0x32c/0x410\\n[  805.727345]  ? __pfx_kthread+0x10/0x10\\n[  805.727347]  ret_from_fork_asm+0x1a/0x30\\n[  805.727354]  \u003c/TASK\u003e\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/3bb632c6b6d8154e9019beda4a43a4b518ee3e8a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/591478118293c1bd628de330a99eb1eb2ef8d76b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/b448529f2f2921c6fe82fd4e985cc7c05cbf02a3\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e02c974fc331f04b5ba2007d4bc6862df8a43148\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.