CVE-2026-31667
Gravedad:
Pendiente de análisis
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
24/04/2026
Última modificación:
24/04/2026
Descripción
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
Input: uinput - fix circular locking dependency with ff-core<br />
<br />
A lockdep circular locking dependency warning can be triggered<br />
reproducibly when using a force-feedback gamepad with uinput (for<br />
example, playing ELDEN RING under Wine with a Flydigi Vader 5<br />
controller):<br />
<br />
ff->mutex -> udev->mutex -> input_mutex -> dev->mutex -> ff->mutex<br />
<br />
The cycle is caused by four lock acquisition paths:<br />
<br />
1. ff upload: input_ff_upload() holds ff->mutex and calls<br />
uinput_dev_upload_effect() -> uinput_request_submit() -><br />
uinput_request_send(), which acquires udev->mutex.<br />
<br />
2. device create: uinput_ioctl_handler() holds udev->mutex and calls<br />
uinput_create_device() -> input_register_device(), which acquires<br />
input_mutex.<br />
<br />
3. device register: input_register_device() holds input_mutex and<br />
calls kbd_connect() -> input_register_handle(), which acquires<br />
dev->mutex.<br />
<br />
4. evdev release: evdev_release() calls input_flush_device() under<br />
dev->mutex, which calls input_ff_flush() acquiring ff->mutex.<br />
<br />
Fix this by introducing a new state_lock spinlock to protect<br />
udev->state and udev->dev access in uinput_request_send() instead of<br />
acquiring udev->mutex. The function only needs to atomically check<br />
device state and queue an input event into the ring buffer via<br />
uinput_dev_event() -- both operations are safe under a spinlock<br />
(ktime_get_ts64() and wake_up_interruptible() do not sleep). This<br />
breaks the ff->mutex -> udev->mutex link since a spinlock is a leaf in<br />
the lock ordering and cannot form cycles with mutexes.<br />
<br />
To keep state transitions visible to uinput_request_send(), protect<br />
writes to udev->state in uinput_create_device() and<br />
uinput_destroy_device() with the same state_lock spinlock.<br />
<br />
Additionally, move init_completion(&request->done) from<br />
uinput_request_send() to uinput_request_submit() before<br />
uinput_request_reserve_slot(). Once the slot is allocated,<br />
uinput_flush_requests() may call complete() on it at any time from<br />
the destroy path, so the completion must be initialised before the<br />
request becomes visible.<br />
<br />
Lock ordering after the fix:<br />
<br />
ff->mutex -> state_lock (spinlock, leaf)<br />
udev->mutex -> state_lock (spinlock, leaf)<br />
udev->mutex -> input_mutex -> dev->mutex -> ff->mutex (no back-edge)
Impacto
Referencias a soluciones, herramientas e información
- https://git.kernel.org/stable/c/1534661043c434b81cfde26b97a2fb2460329cf0
- https://git.kernel.org/stable/c/1e09dfbb4f5d20ee111f92325a00f85778a5f328
- https://git.kernel.org/stable/c/271ee71a1917b89f6d73ec82dd091c33d92ee617
- https://git.kernel.org/stable/c/4cda78d6f8bf2b700529f2fbccb994c3e826d7c2
- https://git.kernel.org/stable/c/546c18a14924eb521fe168d916d7ce28f1e13c1d
- https://git.kernel.org/stable/c/71a9729f412e2c692a35c542e14b706fb342927f
- https://git.kernel.org/stable/c/974f7b138c3a96dd5cd53d1b33409cd7b2229dc6
- https://git.kernel.org/stable/c/a3d6c9c053c9c605651508569230ead633b13f76