VYPR
← All advisories
Medium severity5.5NVD Advisory· Published Apr 24, 2026· Updated Apr 27, 2026

CVE-2026-31647

CVE-2026-31647

Description

In the Linux kernel, the following vulnerability has been resolved:

idpf: fix PREEMPT_RT raw/bh spinlock nesting for async VC handling

Switch from using the completion's raw spinlock to a local lock in the idpf_vc_xn struct. The conversion is safe because complete/_all() are called outside the lock and there is no reason to share the completion lock in the current logic. This avoids invalid wait context reported by the kernel due to the async handler taking BH spinlock:

[ 805.726977] ============================= [ 805.726991] [ BUG: Invalid wait context ] [ 805.727006] 7.0.0-rc2-net-devq-031026+ #28 Tainted: G S OE [ 805.727026] ----------------------------- [ 805.727038] kworker/u261:0/572 is trying to lock: [ 805.727051] ff190da6a8dbb6a0 (&vport_config->mac_filter_list_lock){+...}-{3:3}, at: idpf_mac_filter_async_handler+0xe9/0x260 [idpf] [ 805.727099] other info that might help us debug this: [ 805.727111] context-{5:5} [ 805.727119] 3 locks held by kworker/u261:0/572: [ 805.727132] #0: ff190da6db3e6148 ((wq_completion)idpf-0000:83:00.0-mbx){+.+.}-{0:0}, at: process_one_work+0x4b5/0x730 [ 805.727163] #1: ff3c6f0a6131fe50 ((work_completion)(&(&adapter->mbx_task)->work)){+.+.}-{0:0}, at: process_one_work+0x1e5/0x730 [ 805.727191] #2: ff190da765190020 (&x->wait#34){+.+.}-{2:2}, at: idpf_recv_mb_msg+0xc8/0x710 [idpf] [ 805.727218] stack backtrace: ... [ 805.727238] Workqueue: idpf-0000:83:00.0-mbx idpf_mbx_task [idpf] [ 805.727247] Call Trace: [ 805.727249] [ 805.727251] dump_stack_lvl+0x77/0xb0 [ 805.727259] __lock_acquire+0xb3b/0x2290 [ 805.727268] ? __irq_work_queue_local+0x59/0x130 [ 805.727275] lock_acquire+0xc6/0x2f0 [ 805.727277] ? idpf_mac_filter_async_handler+0xe9/0x260 [idpf] [ 805.727284] ? _printk+0x5b/0x80 [ 805.727290] _raw_spin_lock_bh+0x38/0x50 [ 805.727298] ? idpf_mac_filter_async_handler+0xe9/0x260 [idpf] [ 805.727303] idpf_mac_filter_async_handler+0xe9/0x260 [idpf] [ 805.727310] idpf_recv_mb_msg+0x1c8/0x710 [idpf] [ 805.727317] process_one_work+0x226/0x730 [ 805.727322] worker_thread+0x19e/0x340 [ 805.727325] ? __pfx_worker_thread+0x10/0x10 [ 805.727328] kthread+0xf4/0x130 [ 805.727333] ? __pfx_kthread+0x10/0x10 [ 805.727336] ret_from_fork+0x32c/0x410 [ 805.727345] ? __pfx_kthread+0x10/0x10 [ 805.727347] ret_from_fork_asm+0x1a/0x30 [ 805.727354]

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In the Linux kernel's idpf driver, improper spinlock nesting in async virtual channel handling causes a PREEMPT_RT invalid wait context bug, fixed by replacing the completion raw spinlock with a local lock.

Vulnerability

Overview

CVE-2026-31647 is a locking bug in the Intel idpf (Infrastructure Data Path Function) driver for Ethernet) driver in the Linux kernel. The issue arises in the asynchronous virtual channel (VC) message handling path, where the driver incorrectly nests a bottom-half (BH) spinlock inside a raw spinlock used by the completion mechanism. This violates the lock ordering rules required by the PREEMPT_RT kernel, leading to a kernel splat with the message "BUG: Invalid wait context" [1].

Exploitation

Context

The bug is triggered during normal driver operation when the driver processes mailbox messages from the device. Specifically, the idpf_recv_mb_msg function acquires a raw spinlock on the completion wait queue (&x->wait#34), and then the async handler idpf_mac_filter_async_handler attempts to acquire a BH spinlock (mac_filter_list_lock) while holding that raw lock. This nesting is invalid on PREEMPT_RT because raw spinlocks disable preemption but not softirqs, while BH spinlocks expect to be taken only in contexts where softirqs are already disabled. The attack surface is local; an attacker would need to be able to trigger mailbox messages that cause the driver to process a VC response, which could be achieved by a malicious virtual function or by physical access to the device [1].

Impact

If triggered, the kernel logs a warning and may enter an inconsistent locking state, potentially leading to a system hang or crash. The bug does not directly allow arbitrary code execution or privilege escalation, but it can cause a denial of service by crashing the kernel or deadlocking the driver's workqueue. The CVSS v3 score of 5.5 (Medium) reflects this availability impact [1].

Mitigation

The fix, committed to the Linux kernel stable tree, replaces the use of the completion's raw spinlock with a local lock in the idpf_vc_xn structure. This is safe because complete() and complete_all() are called outside the lock, and there is no need to share the completion lock. The patch is available in multiple stable kernel commits [1][2][3][4]. Users should update to a kernel containing the fix or apply the relevant patch.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!
  4. Making sure you're not a bot!

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

10
  • Linux/Kernel10 versions
    cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 9 more
    • cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=6.9.1,<6.12.83
    • cpe:2.3:o:linux:linux_kernel:6.9:-:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
    • (no CPE)

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.