CVE-2026-46262
Description
Linux kernel ASoC: fsl_xcvr driver deadlock due to incorrect lock acquisition in fsl_xcvr_mode_put().
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Linux kernel ASoC: fsl_xcvr driver deadlock due to incorrect lock acquisition in fsl_xcvr_mode_put().
Vulnerability
The Linux kernel's ASoC: fsl_xcvr driver contains a deadlock vulnerability. This issue arises from an incorrect attempt to acquire the card->controls_rwsem lock within the fsl_xcvr_mode_put() function. This function is called by snd_ctl_elem_write(), which already holds the write lock for the entire operation. Re-acquiring the read lock while holding the write lock in the same thread leads to a deadlock and a hung task [1]. This vulnerability affects versions of the kernel where commit f51424872760 was applied.
Exploitation
An attacker can trigger this vulnerability by performing operations that lead to the fsl_xcvr_mode_put() function being called while the card->controls_rwsem is already held in write mode by the same thread. This typically occurs during ALSA control element writes within the affected driver, potentially requiring specific hardware configurations or user interactions that exercise this code path.
Impact
Successful exploitation of this vulnerability results in a deadlock within the kernel, leading to a hung task and a denial of service. This prevents the affected system from continuing normal operation, requiring a reboot to recover.
Mitigation
This vulnerability has been resolved by reverting commit f51424872760. The fix is available in the Linux kernel. Specific fixed versions and release dates are not detailed in the provided references, but the issue is addressed by the reversion of the problematic patch [1]. No workarounds are described, and the EOL status or KEV listing is not yet disclosed in the available references.
AI Insight generated on Jun 3, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
1430ffcad5edb5ASoC: fsl_xcvr: Revert fix missing lock in fsl_xcvr_mode_put()
1 file changed · +0 −4
sound/soc/fsl/fsl_xcvr.c+0 −4 modifieddiff --git a/sound/soc/fsl/fsl_xcvr.c b/sound/soc/fsl/fsl_xcvr.c index e6c0e6609cbe0..5b61b93772d64 100644 --- a/sound/soc/fsl/fsl_xcvr.c +++ b/sound/soc/fsl/fsl_xcvr.c @@ -203,13 +203,10 @@ static int fsl_xcvr_mode_put(struct snd_kcontrol *kcontrol, xcvr->mode = snd_soc_enum_item_to_val(e, item[0]); - down_read(&card->snd_card->controls_rwsem); fsl_xcvr_activate_ctl(dai, fsl_xcvr_arc_mode_kctl.name, (xcvr->mode == FSL_XCVR_MODE_ARC)); fsl_xcvr_activate_ctl(dai, fsl_xcvr_earc_capds_kctl.name, (xcvr->mode == FSL_XCVR_MODE_EARC)); - up_read(&card->snd_card->controls_rwsem); - /* Allow playback for SPDIF only */ rtd = snd_soc_get_pcm_runtime(card, card->dai_link); rtd->pcm->streams[SNDRV_PCM_STREAM_PLAYBACK].substream_count = -- cgit 1.3-korg
29b2fbe3498dASoC: fsl_xcvr: Revert fix missing lock in fsl_xcvr_mode_put()
1 file changed · +0 −4
sound/soc/fsl/fsl_xcvr.c+0 −4 modifieddiff --git a/sound/soc/fsl/fsl_xcvr.c b/sound/soc/fsl/fsl_xcvr.c index 3a5ab8b536728..90a0a24c05d84 100644 --- a/sound/soc/fsl/fsl_xcvr.c +++ b/sound/soc/fsl/fsl_xcvr.c @@ -206,13 +206,10 @@ static int fsl_xcvr_mode_put(struct snd_kcontrol *kcontrol, xcvr->mode = snd_soc_enum_item_to_val(e, item[0]); - down_read(&card->snd_card->controls_rwsem); fsl_xcvr_activate_ctl(dai, fsl_xcvr_arc_mode_kctl.name, (xcvr->mode == FSL_XCVR_MODE_ARC)); fsl_xcvr_activate_ctl(dai, fsl_xcvr_earc_capds_kctl.name, (xcvr->mode == FSL_XCVR_MODE_EARC)); - up_read(&card->snd_card->controls_rwsem); - /* Allow playback for SPDIF only */ rtd = snd_soc_get_pcm_runtime(card, card->dai_link); rtd->pcm->streams[SNDRV_PCM_STREAM_PLAYBACK].substream_count = -- cgit 1.3-korg
b0f74f5d24feASoC: fsl_xcvr: Revert fix missing lock in fsl_xcvr_mode_put()
1 file changed · +0 −4
sound/soc/fsl/fsl_xcvr.c+0 −4 modifieddiff --git a/sound/soc/fsl/fsl_xcvr.c b/sound/soc/fsl/fsl_xcvr.c index d6f00920391d1..656a4d619cdf1 100644 --- a/sound/soc/fsl/fsl_xcvr.c +++ b/sound/soc/fsl/fsl_xcvr.c @@ -216,13 +216,10 @@ static int fsl_xcvr_mode_put(struct snd_kcontrol *kcontrol, xcvr->mode = snd_soc_enum_item_to_val(e, item[0]); - down_read(&card->snd_card->controls_rwsem); fsl_xcvr_activate_ctl(dai, fsl_xcvr_arc_mode_kctl.name, (xcvr->mode == FSL_XCVR_MODE_ARC)); fsl_xcvr_activate_ctl(dai, fsl_xcvr_earc_capds_kctl.name, (xcvr->mode == FSL_XCVR_MODE_EARC)); - up_read(&card->snd_card->controls_rwsem); - /* Allow playback for SPDIF only */ rtd = snd_soc_get_pcm_runtime(card, card->dai_link); rtd->pcm->streams[SNDRV_PCM_STREAM_PLAYBACK].substream_count = -- cgit 1.3-korg
9a2a5da00277ASoC: fsl_xcvr: Revert fix missing lock in fsl_xcvr_mode_put()
1 file changed · +0 −4
sound/soc/fsl/fsl_xcvr.c+0 −4 modifieddiff --git a/sound/soc/fsl/fsl_xcvr.c b/sound/soc/fsl/fsl_xcvr.c index 51669e5fe8888..58db4906a01d5 100644 --- a/sound/soc/fsl/fsl_xcvr.c +++ b/sound/soc/fsl/fsl_xcvr.c @@ -223,13 +223,10 @@ static int fsl_xcvr_mode_put(struct snd_kcontrol *kcontrol, xcvr->mode = snd_soc_enum_item_to_val(e, item[0]); - down_read(&card->snd_card->controls_rwsem); fsl_xcvr_activate_ctl(dai, fsl_xcvr_arc_mode_kctl.name, (xcvr->mode == FSL_XCVR_MODE_ARC)); fsl_xcvr_activate_ctl(dai, fsl_xcvr_earc_capds_kctl.name, (xcvr->mode == FSL_XCVR_MODE_EARC)); - up_read(&card->snd_card->controls_rwsem); - /* Allow playback for SPDIF only */ rtd = snd_soc_get_pcm_runtime(card, card->dai_link); rtd->pcm->streams[SNDRV_PCM_STREAM_PLAYBACK].substream_count = -- cgit 1.3-korg
0886dc6326c3ASoC: fsl_xcvr: Revert fix missing lock in fsl_xcvr_mode_put()
1 file changed · +0 −4
sound/soc/fsl/fsl_xcvr.c+0 −4 modifieddiff --git a/sound/soc/fsl/fsl_xcvr.c b/sound/soc/fsl/fsl_xcvr.c index 5de93f458b569..a268fb81a2f86 100644 --- a/sound/soc/fsl/fsl_xcvr.c +++ b/sound/soc/fsl/fsl_xcvr.c @@ -223,13 +223,10 @@ static int fsl_xcvr_mode_put(struct snd_kcontrol *kcontrol, xcvr->mode = snd_soc_enum_item_to_val(e, item[0]); - down_read(&card->snd_card->controls_rwsem); fsl_xcvr_activate_ctl(dai, fsl_xcvr_arc_mode_kctl.name, (xcvr->mode == FSL_XCVR_MODE_ARC)); fsl_xcvr_activate_ctl(dai, fsl_xcvr_earc_capds_kctl.name, (xcvr->mode == FSL_XCVR_MODE_EARC)); - up_read(&card->snd_card->controls_rwsem); - /* Allow playback for SPDIF only */ rtd = snd_soc_get_pcm_runtime(card, card->dai_link); rtd->pcm->streams[SNDRV_PCM_STREAM_PLAYBACK].substream_count = -- cgit 1.3-korg
9f16d96e1222ASoC: fsl_xcvr: Revert fix missing lock in fsl_xcvr_mode_put()
1 file changed · +0 −4
sound/soc/fsl/fsl_xcvr.c+0 −4 modifieddiff --git a/sound/soc/fsl/fsl_xcvr.c b/sound/soc/fsl/fsl_xcvr.c index 5de93f458b569..a268fb81a2f86 100644 --- a/sound/soc/fsl/fsl_xcvr.c +++ b/sound/soc/fsl/fsl_xcvr.c @@ -223,13 +223,10 @@ static int fsl_xcvr_mode_put(struct snd_kcontrol *kcontrol, xcvr->mode = snd_soc_enum_item_to_val(e, item[0]); - down_read(&card->snd_card->controls_rwsem); fsl_xcvr_activate_ctl(dai, fsl_xcvr_arc_mode_kctl.name, (xcvr->mode == FSL_XCVR_MODE_ARC)); fsl_xcvr_activate_ctl(dai, fsl_xcvr_earc_capds_kctl.name, (xcvr->mode == FSL_XCVR_MODE_EARC)); - up_read(&card->snd_card->controls_rwsem); - /* Allow playback for SPDIF only */ rtd = snd_soc_get_pcm_runtime(card, card->dai_link); rtd->pcm->streams[SNDRV_PCM_STREAM_PLAYBACK].substream_count = -- cgit 1.3-korg
ae5a70e3e87cASoC: fsl_xcvr: Revert fix missing lock in fsl_xcvr_mode_put()
1 file changed · +0 −4
sound/soc/fsl/fsl_xcvr.c+0 −4 modifieddiff --git a/sound/soc/fsl/fsl_xcvr.c b/sound/soc/fsl/fsl_xcvr.c index c4deb09c9a9bc..ae5960b2b6a95 100644 --- a/sound/soc/fsl/fsl_xcvr.c +++ b/sound/soc/fsl/fsl_xcvr.c @@ -203,13 +203,10 @@ static int fsl_xcvr_mode_put(struct snd_kcontrol *kcontrol, xcvr->mode = snd_soc_enum_item_to_val(e, item[0]); - down_read(&card->snd_card->controls_rwsem); fsl_xcvr_activate_ctl(dai, fsl_xcvr_arc_mode_kctl.name, (xcvr->mode == FSL_XCVR_MODE_ARC)); fsl_xcvr_activate_ctl(dai, fsl_xcvr_earc_capds_kctl.name, (xcvr->mode == FSL_XCVR_MODE_EARC)); - up_read(&card->snd_card->controls_rwsem); - /* Allow playback for SPDIF only */ rtd = snd_soc_get_pcm_runtime(card, card->dai_link); rtd->pcm->streams[SNDRV_PCM_STREAM_PLAYBACK].substream_count = -- cgit 1.3-korg
0886dc6326c3ASoC: fsl_xcvr: Revert fix missing lock in fsl_xcvr_mode_put()
1 file changed · +0 −4
sound/soc/fsl/fsl_xcvr.c+0 −4 modifieddiff --git a/sound/soc/fsl/fsl_xcvr.c b/sound/soc/fsl/fsl_xcvr.c index 5de93f458b569..a268fb81a2f86 100644 --- a/sound/soc/fsl/fsl_xcvr.c +++ b/sound/soc/fsl/fsl_xcvr.c @@ -223,13 +223,10 @@ static int fsl_xcvr_mode_put(struct snd_kcontrol *kcontrol, xcvr->mode = snd_soc_enum_item_to_val(e, item[0]); - down_read(&card->snd_card->controls_rwsem); fsl_xcvr_activate_ctl(dai, fsl_xcvr_arc_mode_kctl.name, (xcvr->mode == FSL_XCVR_MODE_ARC)); fsl_xcvr_activate_ctl(dai, fsl_xcvr_earc_capds_kctl.name, (xcvr->mode == FSL_XCVR_MODE_EARC)); - up_read(&card->snd_card->controls_rwsem); - /* Allow playback for SPDIF only */ rtd = snd_soc_get_pcm_runtime(card, card->dai_link); rtd->pcm->streams[SNDRV_PCM_STREAM_PLAYBACK].substream_count = -- cgit 1.3-korg
30ffcad5edb5ASoC: fsl_xcvr: Revert fix missing lock in fsl_xcvr_mode_put()
1 file changed · +0 −4
sound/soc/fsl/fsl_xcvr.c+0 −4 modifieddiff --git a/sound/soc/fsl/fsl_xcvr.c b/sound/soc/fsl/fsl_xcvr.c index e6c0e6609cbe0..5b61b93772d64 100644 --- a/sound/soc/fsl/fsl_xcvr.c +++ b/sound/soc/fsl/fsl_xcvr.c @@ -203,13 +203,10 @@ static int fsl_xcvr_mode_put(struct snd_kcontrol *kcontrol, xcvr->mode = snd_soc_enum_item_to_val(e, item[0]); - down_read(&card->snd_card->controls_rwsem); fsl_xcvr_activate_ctl(dai, fsl_xcvr_arc_mode_kctl.name, (xcvr->mode == FSL_XCVR_MODE_ARC)); fsl_xcvr_activate_ctl(dai, fsl_xcvr_earc_capds_kctl.name, (xcvr->mode == FSL_XCVR_MODE_EARC)); - up_read(&card->snd_card->controls_rwsem); - /* Allow playback for SPDIF only */ rtd = snd_soc_get_pcm_runtime(card, card->dai_link); rtd->pcm->streams[SNDRV_PCM_STREAM_PLAYBACK].substream_count = -- cgit 1.3-korg
9a2a5da00277ASoC: fsl_xcvr: Revert fix missing lock in fsl_xcvr_mode_put()
1 file changed · +0 −4
sound/soc/fsl/fsl_xcvr.c+0 −4 modifieddiff --git a/sound/soc/fsl/fsl_xcvr.c b/sound/soc/fsl/fsl_xcvr.c index 51669e5fe8888..58db4906a01d5 100644 --- a/sound/soc/fsl/fsl_xcvr.c +++ b/sound/soc/fsl/fsl_xcvr.c @@ -223,13 +223,10 @@ static int fsl_xcvr_mode_put(struct snd_kcontrol *kcontrol, xcvr->mode = snd_soc_enum_item_to_val(e, item[0]); - down_read(&card->snd_card->controls_rwsem); fsl_xcvr_activate_ctl(dai, fsl_xcvr_arc_mode_kctl.name, (xcvr->mode == FSL_XCVR_MODE_ARC)); fsl_xcvr_activate_ctl(dai, fsl_xcvr_earc_capds_kctl.name, (xcvr->mode == FSL_XCVR_MODE_EARC)); - up_read(&card->snd_card->controls_rwsem); - /* Allow playback for SPDIF only */ rtd = snd_soc_get_pcm_runtime(card, card->dai_link); rtd->pcm->streams[SNDRV_PCM_STREAM_PLAYBACK].substream_count = -- cgit 1.3-korg
9f16d96e1222ASoC: fsl_xcvr: Revert fix missing lock in fsl_xcvr_mode_put()
1 file changed · +0 −4
sound/soc/fsl/fsl_xcvr.c+0 −4 modifieddiff --git a/sound/soc/fsl/fsl_xcvr.c b/sound/soc/fsl/fsl_xcvr.c index 5de93f458b569..a268fb81a2f86 100644 --- a/sound/soc/fsl/fsl_xcvr.c +++ b/sound/soc/fsl/fsl_xcvr.c @@ -223,13 +223,10 @@ static int fsl_xcvr_mode_put(struct snd_kcontrol *kcontrol, xcvr->mode = snd_soc_enum_item_to_val(e, item[0]); - down_read(&card->snd_card->controls_rwsem); fsl_xcvr_activate_ctl(dai, fsl_xcvr_arc_mode_kctl.name, (xcvr->mode == FSL_XCVR_MODE_ARC)); fsl_xcvr_activate_ctl(dai, fsl_xcvr_earc_capds_kctl.name, (xcvr->mode == FSL_XCVR_MODE_EARC)); - up_read(&card->snd_card->controls_rwsem); - /* Allow playback for SPDIF only */ rtd = snd_soc_get_pcm_runtime(card, card->dai_link); rtd->pcm->streams[SNDRV_PCM_STREAM_PLAYBACK].substream_count = -- cgit 1.3-korg
ae5a70e3e87cASoC: fsl_xcvr: Revert fix missing lock in fsl_xcvr_mode_put()
1 file changed · +0 −4
sound/soc/fsl/fsl_xcvr.c+0 −4 modifieddiff --git a/sound/soc/fsl/fsl_xcvr.c b/sound/soc/fsl/fsl_xcvr.c index c4deb09c9a9bc..ae5960b2b6a95 100644 --- a/sound/soc/fsl/fsl_xcvr.c +++ b/sound/soc/fsl/fsl_xcvr.c @@ -203,13 +203,10 @@ static int fsl_xcvr_mode_put(struct snd_kcontrol *kcontrol, xcvr->mode = snd_soc_enum_item_to_val(e, item[0]); - down_read(&card->snd_card->controls_rwsem); fsl_xcvr_activate_ctl(dai, fsl_xcvr_arc_mode_kctl.name, (xcvr->mode == FSL_XCVR_MODE_ARC)); fsl_xcvr_activate_ctl(dai, fsl_xcvr_earc_capds_kctl.name, (xcvr->mode == FSL_XCVR_MODE_EARC)); - up_read(&card->snd_card->controls_rwsem); - /* Allow playback for SPDIF only */ rtd = snd_soc_get_pcm_runtime(card, card->dai_link); rtd->pcm->streams[SNDRV_PCM_STREAM_PLAYBACK].substream_count = -- cgit 1.3-korg
b0f74f5d24feASoC: fsl_xcvr: Revert fix missing lock in fsl_xcvr_mode_put()
1 file changed · +0 −4
sound/soc/fsl/fsl_xcvr.c+0 −4 modifieddiff --git a/sound/soc/fsl/fsl_xcvr.c b/sound/soc/fsl/fsl_xcvr.c index d6f00920391d1..656a4d619cdf1 100644 --- a/sound/soc/fsl/fsl_xcvr.c +++ b/sound/soc/fsl/fsl_xcvr.c @@ -216,13 +216,10 @@ static int fsl_xcvr_mode_put(struct snd_kcontrol *kcontrol, xcvr->mode = snd_soc_enum_item_to_val(e, item[0]); - down_read(&card->snd_card->controls_rwsem); fsl_xcvr_activate_ctl(dai, fsl_xcvr_arc_mode_kctl.name, (xcvr->mode == FSL_XCVR_MODE_ARC)); fsl_xcvr_activate_ctl(dai, fsl_xcvr_earc_capds_kctl.name, (xcvr->mode == FSL_XCVR_MODE_EARC)); - up_read(&card->snd_card->controls_rwsem); - /* Allow playback for SPDIF only */ rtd = snd_soc_get_pcm_runtime(card, card->dai_link); rtd->pcm->streams[SNDRV_PCM_STREAM_PLAYBACK].substream_count = -- cgit 1.3-korg
29b2fbe3498dASoC: fsl_xcvr: Revert fix missing lock in fsl_xcvr_mode_put()
1 file changed · +0 −4
sound/soc/fsl/fsl_xcvr.c+0 −4 modifieddiff --git a/sound/soc/fsl/fsl_xcvr.c b/sound/soc/fsl/fsl_xcvr.c index 3a5ab8b536728..90a0a24c05d84 100644 --- a/sound/soc/fsl/fsl_xcvr.c +++ b/sound/soc/fsl/fsl_xcvr.c @@ -206,13 +206,10 @@ static int fsl_xcvr_mode_put(struct snd_kcontrol *kcontrol, xcvr->mode = snd_soc_enum_item_to_val(e, item[0]); - down_read(&card->snd_card->controls_rwsem); fsl_xcvr_activate_ctl(dai, fsl_xcvr_arc_mode_kctl.name, (xcvr->mode == FSL_XCVR_MODE_ARC)); fsl_xcvr_activate_ctl(dai, fsl_xcvr_earc_capds_kctl.name, (xcvr->mode == FSL_XCVR_MODE_EARC)); - up_read(&card->snd_card->controls_rwsem); - /* Allow playback for SPDIF only */ rtd = snd_soc_get_pcm_runtime(card, card->dai_link); rtd->pcm->streams[SNDRV_PCM_STREAM_PLAYBACK].substream_count = -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Acquiring a read lock while already holding a write lock on the same resource results in a deadlock."
Attack vector
An attacker can trigger this vulnerability by performing an operation that involves writing to the `controls_rwsem` lock, such as modifying an ALSA control element. The function `fsl_xcvr_mode_put()` is called during such operations. If this function attempts to acquire the `controls_rwsem` lock again while it is already held in write mode, a deadlock occurs.
Affected code
The vulnerability exists in the `fsl_xcvr_mode_put()` function within the file `sound/soc/fsl/fsl_xcvr.c`. Specifically, the lines attempting to acquire and release the `card->snd_card->controls_rwsem` lock were added in a previous commit and are now removed by this patch.
What the fix does
The patch reverts the addition of `down_read()` and `up_read()` calls within the `fsl_xcvr_mode_put()` function [patch_id=4686611]. These lock acquisitions were unnecessary because the calling function, `snd_ctl_elem_write()`, already holds the write lock on `controls_rwsem`. Removing these redundant lock acquisitions prevents the deadlock scenario.
Preconditions
- configThe system must have the fsl_xcvr driver loaded and configured.
- inputAn operation that triggers the `fsl_xcvr_mode_put()` function, such as writing to an ALSA control element.
Generated on Jun 3, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- git.kernel.org/stable/c/0886dc6326c3cc596799c4340d342898301cf52anvd
- git.kernel.org/stable/c/29b2fbe3498da3681a01b34e4a2259f8a1b89448nvd
- git.kernel.org/stable/c/30ffcad5edb56947dccc26f6816ab7a55b21a711nvd
- git.kernel.org/stable/c/9a2a5da002775376498e8814df4a87cd629a3a0cnvd
- git.kernel.org/stable/c/9f16d96e1222391a6b996a1b676bec14fb91e3b2nvd
- git.kernel.org/stable/c/ae5a70e3e87c28edbaf9939cfef1bcbd9615420fnvd
- git.kernel.org/stable/c/b0f74f5d24fe3c73ef1369a811891198b54c1e8envd
News mentions
1- Linux Kernel: 25 Vulnerabilities Disclosed in Single Batch on June 3, 2026Vypr Intelligence · Jun 3, 2026