CVE-2026-53331

Source
https://cve.org/CVERecord?id=CVE-2026-53331
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53331.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53331
Downstream
Published
2026-07-01T13:32:15.733Z
Modified
2026-07-08T08:07:25.177897944Z
Summary
slimbus: qcom-ngd-ctrl: Avoid ABBA on tx_lock/ctrl->lock
Details

In the Linux kernel, the following vulnerability has been resolved:

slimbus: qcom-ngd-ctrl: Avoid ABBA on tx_lock/ctrl->lock

During the SSR/PDR down notification the tx_lock is taken with the intent to provide synchronization with active DMA transfers.

But during this period qcomslimngddown() is invoked, which ends up in slimreportabsent(), which takes the slimcontroller lock. In multiple other codepaths these two locks are taken in the opposite order (i.e. slimcontroller then txlock).

The result is a lockdep splat, and a possible deadlock:

rprocctl/449 is trying to acquire lock: ffff00009793e620 (&ctrl->lock){+.+.}-{4:4}, at: slimreportabsent (drivers/slimbus/core.c:322) slimbus

but task is already holding lock: ffff00009793fb50 (&ctrl->txlock){+.+.}-{4:4}, at: qcomslimngdssrpdrnotify (drivers/slimbus/qcom-ngd-ctrl.c:1475) slimqcomngd_ctrl

which lock already depends on the new lock.

Possible unsafe locking scenario:

    CPU0                    CPU1
    ----                    ----

lock(&ctrl->txlock); lock(&ctrl->lock); lock(&ctrl->txlock); lock(&ctrl->lock);

The assumption is that the comment refers to the desire to not call qcomslimngdexitdma() while we have an ongoing DMA TX transaction. But any such transaction is initiated and completed within a single qcomslimngdxfermsg().

Prior to calling qcomslimngdexitdma() the slim_controller is torn down, all child devices are notified that the slimbus is gone and the child devices are removed.

Stop taking the txlock in qcomslimngdssrpdrnotify() to avoid the deadlock.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53331.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
a899d324863a3d15ce0eea513884e1b73a758c58
Fixed
3d1561537237c6cc1db76155183d8bbdac2339f0
Fixed
dc4d5c57e012c2c669793deb1515a57bbc6bf5dd
Fixed
d54a221b0f3cd9e1f03f18104be34e02a8258fae
Fixed
aad4337a21b9ad3ae8d668fa8678d05e26ecbaa8
Fixed
9f0d45d509b434c54da10e01f4ef8086e4583401
Fixed
9708eb50fd7343145b422be852f890212155d845
Fixed
55f2ea9ff83cc27a85526b14bc9b32f96a08d6ec

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53331.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.210
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.176
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.143
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.94
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.36
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.13

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53331.json"