In the Linux kernel, the following vulnerability has been resolved: Input: uinput - fix circular...

CVE-2026-31667 → View on GitHub ↗ View on CVE.org ↗ View on NVD ↗

Description

In the Linux kernel, the following vulnerability has been resolved:

Input: uinput - fix circular locking dependency with ff-core

A lockdep circular locking dependency warning can be triggered
reproducibly when using a force-feedback gamepad with uinput (for
example, playing ELDEN RING under Wine with a Flydigi Vader 5
controller):

ff->mutex -> udev->mutex -> input_mutex -> dev->mutex -> ff->mutex

The cycle is caused by four lock acquisition paths:

  1. ff upload: input_ff_upload() holds ff->mutex and calls
    uinput_dev_upload_effect() -> uinput_request_submit() ->
    uinput_request_send(), which acquires udev->mutex.

  2. device create: uinput_ioctl_handler() holds udev->mutex and calls
    uinput_create_device() -> input_register_device(), which acquires
    input_mutex.

  3. device register: input_register_device() holds input_mutex and
    calls kbd_connect() -> input_register_handle(), which acquires
    dev->mutex.

  4. evdev release: evdev_release() calls input_flush_device() under
    dev->mutex, which calls input_ff_flush() acquiring ff->mutex.

Fix this by introducing a new state_lock spinlock to protect
udev->state and udev->dev access in uinput_request_send() instead of
acquiring udev->mutex. The function only needs to atomically check
device state and queue an input event into the ring buffer via
uinput_dev_event() -- both operations are safe under a spinlock
(ktime_get_ts64() and wake_up_interruptible() do not sleep). This
breaks the ff->mutex -> udev->mutex link since a spinlock is a leaf in
the lock ordering and cannot form cycles with mutexes.

To keep state transitions visible to uinput_request_send(), protect
writes to udev->state in uinput_create_device() and
uinput_destroy_device() with the same state_lock spinlock.

Additionally, move init_completion(&request->done) from
uinput_request_send() to uinput_request_submit() before
uinput_request_reserve_slot(). Once the slot is allocated,
uinput_flush_requests() may call complete() on it at any time from
the destroy path, so the completion must be initialised before the
request becomes visible.

Lock ordering after the fix:

ff->mutex -> state_lock (spinlock, leaf)
udev->mutex -> state_lock (spinlock, leaf)
udev->mutex -> input_mutex -> dev->mutex -> ff->mutex (no back-edge)

Basic information

Type
unreviewed
Severity
high
Advisory on GitHub
Open advisory ↗
Repository advisory
Source code
Not specified
Published (advisory)
2026-04-24 15:32:37 UTC
Updated
2026-04-27 21:30:51 UTC
NVD published
2026-04-24 15:16:46 UTC

EPSS Score

Score Percentile
0.01% 1.40%

CVSS Scores

Base score Version Severity Vector
7.8 3.1
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Click to expand
Attack vector (AV:L)
They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L)
A normal user session is enough; they don’t have to be admin.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.

Identifiers

Type Value
GHSA GHSA-mxvq-qhx2-fp47 ↗
CVE CVE-2026-31667 ↗

CWEs

CWE id Name
CWE-667 Improper Locking

References

cvelogic Threat Intelligence