CVE-2023-54288 (GCVE-0-2023-54288)

Vulnerability from cvelistv5 – Published: 2025-12-30 12:23 – Updated: 2025-12-30 12:23
VLAI?
Title
wifi: mac80211: fortify the spinlock against deadlock by interrupt
Summary
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fortify the spinlock against deadlock by interrupt In the function ieee80211_tx_dequeue() there is a particular locking sequence: begin: spin_lock(&local->queue_stop_reason_lock); q_stopped = local->queue_stop_reasons[q]; spin_unlock(&local->queue_stop_reason_lock); However small the chance (increased by ftracetest), an asynchronous interrupt can occur in between of spin_lock() and spin_unlock(), and the interrupt routine will attempt to lock the same &local->queue_stop_reason_lock again. This will cause a costly reset of the CPU and the wifi device or an altogether hang in the single CPU and single core scenario. The only remaining spin_lock(&local->queue_stop_reason_lock) that did not disable interrupts was patched, which should prevent any deadlocks on the same CPU/core and the same wifi device. This is the probable trace of the deadlock: kernel: ================================ kernel: WARNING: inconsistent lock state kernel: 6.3.0-rc6-mt-20230401-00001-gf86822a1170f #4 Tainted: G W kernel: -------------------------------- kernel: inconsistent {IN-SOFTIRQ-W} -> {SOFTIRQ-ON-W} usage. kernel: kworker/5:0/25656 [HC0[0]:SC0[0]:HE1:SE1] takes: kernel: ffff9d6190779478 (&local->queue_stop_reason_lock){+.?.}-{2:2}, at: return_to_handler+0x0/0x40 kernel: {IN-SOFTIRQ-W} state was registered at: kernel: lock_acquire+0xc7/0x2d0 kernel: _raw_spin_lock+0x36/0x50 kernel: ieee80211_tx_dequeue+0xb4/0x1330 [mac80211] kernel: iwl_mvm_mac_itxq_xmit+0xae/0x210 [iwlmvm] kernel: iwl_mvm_mac_wake_tx_queue+0x2d/0xd0 [iwlmvm] kernel: ieee80211_queue_skb+0x450/0x730 [mac80211] kernel: __ieee80211_xmit_fast.constprop.66+0x834/0xa50 [mac80211] kernel: __ieee80211_subif_start_xmit+0x217/0x530 [mac80211] kernel: ieee80211_subif_start_xmit+0x60/0x580 [mac80211] kernel: dev_hard_start_xmit+0xb5/0x260 kernel: __dev_queue_xmit+0xdbe/0x1200 kernel: neigh_resolve_output+0x166/0x260 kernel: ip_finish_output2+0x216/0xb80 kernel: __ip_finish_output+0x2a4/0x4d0 kernel: ip_finish_output+0x2d/0xd0 kernel: ip_output+0x82/0x2b0 kernel: ip_local_out+0xec/0x110 kernel: igmpv3_sendpack+0x5c/0x90 kernel: igmp_ifc_timer_expire+0x26e/0x4e0 kernel: call_timer_fn+0xa5/0x230 kernel: run_timer_softirq+0x27f/0x550 kernel: __do_softirq+0xb4/0x3a4 kernel: irq_exit_rcu+0x9b/0xc0 kernel: sysvec_apic_timer_interrupt+0x80/0xa0 kernel: asm_sysvec_apic_timer_interrupt+0x1f/0x30 kernel: _raw_spin_unlock_irqrestore+0x3f/0x70 kernel: free_to_partial_list+0x3d6/0x590 kernel: __slab_free+0x1b7/0x310 kernel: kmem_cache_free+0x52d/0x550 kernel: putname+0x5d/0x70 kernel: do_sys_openat2+0x1d7/0x310 kernel: do_sys_open+0x51/0x80 kernel: __x64_sys_openat+0x24/0x30 kernel: do_syscall_64+0x5c/0x90 kernel: entry_SYSCALL_64_after_hwframe+0x72/0xdc kernel: irq event stamp: 5120729 kernel: hardirqs last enabled at (5120729): [<ffffffff9d149936>] trace_graph_return+0xd6/0x120 kernel: hardirqs last disabled at (5120728): [<ffffffff9d149950>] trace_graph_return+0xf0/0x120 kernel: softirqs last enabled at (5069900): [<ffffffff9cf65b60>] return_to_handler+0x0/0x40 kernel: softirqs last disabled at (5067555): [<ffffffff9cf65b60>] return_to_handler+0x0/0x40 kernel: other info that might help us debug this: kernel: Possible unsafe locking scenario: kernel: CPU0 kernel: ---- kernel: lock(&local->queue_stop_reason_lock); kernel: <Interrupt> kernel: lock(&local->queue_stop_reason_lock); kernel: *** DEADLOCK *** kernel: 8 locks held by kworker/5:0/25656: kernel: #0: ffff9d618009d138 ((wq_completion)events_freezable){+.+.}-{0:0}, at: process_one_work+0x1ca/0x530 kernel: #1: ffffb1ef4637fe68 ((work_completion)(&local->restart_work)){+.+.}-{0:0}, at: process_one_work+0x1ce/0x530 kernel: #2: ffffffff9f166548 (rtnl_mutex){+.+.}-{3:3}, at: return_to_handler+0x0/0x40 kernel: #3: ffff9d619 ---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 7b8fe53d2a1da48db02ae961b29b8ee2f5515861 , < c79d794a2cd76eca47b2491c5030be9a6418c5d6 (git)
Affected: 4444bc2116aecdcde87dce80373540adc8bd478b , < 6df3eafa31b3ee4f0cba601ca857019964355034 (git)
Affected: 4444bc2116aecdcde87dce80373540adc8bd478b , < ef6e1997da63ad0ac3fe33153fec9524c9ae56c9 (git)
Create a notification for this product.
    Linux Linux Affected: 6.2
Unaffected: 0 , < 6.2 (semver)
Unaffected: 6.1.30 , ≤ 6.1.* (semver)
Unaffected: 6.3.4 , ≤ 6.3.* (semver)
Unaffected: 6.4 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/mac80211/tx.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c79d794a2cd76eca47b2491c5030be9a6418c5d6",
              "status": "affected",
              "version": "7b8fe53d2a1da48db02ae961b29b8ee2f5515861",
              "versionType": "git"
            },
            {
              "lessThan": "6df3eafa31b3ee4f0cba601ca857019964355034",
              "status": "affected",
              "version": "4444bc2116aecdcde87dce80373540adc8bd478b",
              "versionType": "git"
            },
            {
              "lessThan": "ef6e1997da63ad0ac3fe33153fec9524c9ae56c9",
              "status": "affected",
              "version": "4444bc2116aecdcde87dce80373540adc8bd478b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/mac80211/tx.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.2"
            },
            {
              "lessThan": "6.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.3.*",
              "status": "unaffected",
              "version": "6.3.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.4",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.30",
                  "versionStartIncluding": "6.1.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.3.4",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.4",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: fortify the spinlock against deadlock by interrupt\n\nIn the function ieee80211_tx_dequeue() there is a particular locking\nsequence:\n\nbegin:\n\tspin_lock(\u0026local-\u003equeue_stop_reason_lock);\n\tq_stopped = local-\u003equeue_stop_reasons[q];\n\tspin_unlock(\u0026local-\u003equeue_stop_reason_lock);\n\nHowever small the chance (increased by ftracetest), an asynchronous\ninterrupt can occur in between of spin_lock() and spin_unlock(),\nand the interrupt routine will attempt to lock the same\n\u0026local-\u003equeue_stop_reason_lock again.\n\nThis will cause a costly reset of the CPU and the wifi device or an\naltogether hang in the single CPU and single core scenario.\n\nThe only remaining spin_lock(\u0026local-\u003equeue_stop_reason_lock) that\ndid not disable interrupts was patched, which should prevent any\ndeadlocks on the same CPU/core and the same wifi device.\n\nThis is the probable trace of the deadlock:\n\nkernel: ================================\nkernel: WARNING: inconsistent lock state\nkernel: 6.3.0-rc6-mt-20230401-00001-gf86822a1170f #4 Tainted: G        W\nkernel: --------------------------------\nkernel: inconsistent {IN-SOFTIRQ-W} -\u003e {SOFTIRQ-ON-W} usage.\nkernel: kworker/5:0/25656 [HC0[0]:SC0[0]:HE1:SE1] takes:\nkernel: ffff9d6190779478 (\u0026local-\u003equeue_stop_reason_lock){+.?.}-{2:2}, at: return_to_handler+0x0/0x40\nkernel: {IN-SOFTIRQ-W} state was registered at:\nkernel:   lock_acquire+0xc7/0x2d0\nkernel:   _raw_spin_lock+0x36/0x50\nkernel:   ieee80211_tx_dequeue+0xb4/0x1330 [mac80211]\nkernel:   iwl_mvm_mac_itxq_xmit+0xae/0x210 [iwlmvm]\nkernel:   iwl_mvm_mac_wake_tx_queue+0x2d/0xd0 [iwlmvm]\nkernel:   ieee80211_queue_skb+0x450/0x730 [mac80211]\nkernel:   __ieee80211_xmit_fast.constprop.66+0x834/0xa50 [mac80211]\nkernel:   __ieee80211_subif_start_xmit+0x217/0x530 [mac80211]\nkernel:   ieee80211_subif_start_xmit+0x60/0x580 [mac80211]\nkernel:   dev_hard_start_xmit+0xb5/0x260\nkernel:   __dev_queue_xmit+0xdbe/0x1200\nkernel:   neigh_resolve_output+0x166/0x260\nkernel:   ip_finish_output2+0x216/0xb80\nkernel:   __ip_finish_output+0x2a4/0x4d0\nkernel:   ip_finish_output+0x2d/0xd0\nkernel:   ip_output+0x82/0x2b0\nkernel:   ip_local_out+0xec/0x110\nkernel:   igmpv3_sendpack+0x5c/0x90\nkernel:   igmp_ifc_timer_expire+0x26e/0x4e0\nkernel:   call_timer_fn+0xa5/0x230\nkernel:   run_timer_softirq+0x27f/0x550\nkernel:   __do_softirq+0xb4/0x3a4\nkernel:   irq_exit_rcu+0x9b/0xc0\nkernel:   sysvec_apic_timer_interrupt+0x80/0xa0\nkernel:   asm_sysvec_apic_timer_interrupt+0x1f/0x30\nkernel:   _raw_spin_unlock_irqrestore+0x3f/0x70\nkernel:   free_to_partial_list+0x3d6/0x590\nkernel:   __slab_free+0x1b7/0x310\nkernel:   kmem_cache_free+0x52d/0x550\nkernel:   putname+0x5d/0x70\nkernel:   do_sys_openat2+0x1d7/0x310\nkernel:   do_sys_open+0x51/0x80\nkernel:   __x64_sys_openat+0x24/0x30\nkernel:   do_syscall_64+0x5c/0x90\nkernel:   entry_SYSCALL_64_after_hwframe+0x72/0xdc\nkernel: irq event stamp: 5120729\nkernel: hardirqs last  enabled at (5120729): [\u003cffffffff9d149936\u003e] trace_graph_return+0xd6/0x120\nkernel: hardirqs last disabled at (5120728): [\u003cffffffff9d149950\u003e] trace_graph_return+0xf0/0x120\nkernel: softirqs last  enabled at (5069900): [\u003cffffffff9cf65b60\u003e] return_to_handler+0x0/0x40\nkernel: softirqs last disabled at (5067555): [\u003cffffffff9cf65b60\u003e] return_to_handler+0x0/0x40\nkernel:\n        other info that might help us debug this:\nkernel:  Possible unsafe locking scenario:\nkernel:        CPU0\nkernel:        ----\nkernel:   lock(\u0026local-\u003equeue_stop_reason_lock);\nkernel:   \u003cInterrupt\u003e\nkernel:     lock(\u0026local-\u003equeue_stop_reason_lock);\nkernel:\n         *** DEADLOCK ***\nkernel: 8 locks held by kworker/5:0/25656:\nkernel:  #0: ffff9d618009d138 ((wq_completion)events_freezable){+.+.}-{0:0}, at: process_one_work+0x1ca/0x530\nkernel:  #1: ffffb1ef4637fe68 ((work_completion)(\u0026local-\u003erestart_work)){+.+.}-{0:0}, at: process_one_work+0x1ce/0x530\nkernel:  #2: ffffffff9f166548 (rtnl_mutex){+.+.}-{3:3}, at: return_to_handler+0x0/0x40\nkernel:  #3: ffff9d619\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-30T12:23:27.765Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c79d794a2cd76eca47b2491c5030be9a6418c5d6"
        },
        {
          "url": "https://git.kernel.org/stable/c/6df3eafa31b3ee4f0cba601ca857019964355034"
        },
        {
          "url": "https://git.kernel.org/stable/c/ef6e1997da63ad0ac3fe33153fec9524c9ae56c9"
        }
      ],
      "title": "wifi: mac80211: fortify the spinlock against deadlock by interrupt",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-54288",
    "datePublished": "2025-12-30T12:23:27.765Z",
    "dateReserved": "2025-12-30T12:06:44.526Z",
    "dateUpdated": "2025-12-30T12:23:27.765Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-54288\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-30T13:16:17.833\",\"lastModified\":\"2025-12-31T20:42:43.210\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: mac80211: fortify the spinlock against deadlock by interrupt\\n\\nIn the function ieee80211_tx_dequeue() there is a particular locking\\nsequence:\\n\\nbegin:\\n\\tspin_lock(\u0026local-\u003equeue_stop_reason_lock);\\n\\tq_stopped = local-\u003equeue_stop_reasons[q];\\n\\tspin_unlock(\u0026local-\u003equeue_stop_reason_lock);\\n\\nHowever small the chance (increased by ftracetest), an asynchronous\\ninterrupt can occur in between of spin_lock() and spin_unlock(),\\nand the interrupt routine will attempt to lock the same\\n\u0026local-\u003equeue_stop_reason_lock again.\\n\\nThis will cause a costly reset of the CPU and the wifi device or an\\naltogether hang in the single CPU and single core scenario.\\n\\nThe only remaining spin_lock(\u0026local-\u003equeue_stop_reason_lock) that\\ndid not disable interrupts was patched, which should prevent any\\ndeadlocks on the same CPU/core and the same wifi device.\\n\\nThis is the probable trace of the deadlock:\\n\\nkernel: ================================\\nkernel: WARNING: inconsistent lock state\\nkernel: 6.3.0-rc6-mt-20230401-00001-gf86822a1170f #4 Tainted: G        W\\nkernel: --------------------------------\\nkernel: inconsistent {IN-SOFTIRQ-W} -\u003e {SOFTIRQ-ON-W} usage.\\nkernel: kworker/5:0/25656 [HC0[0]:SC0[0]:HE1:SE1] takes:\\nkernel: ffff9d6190779478 (\u0026local-\u003equeue_stop_reason_lock){+.?.}-{2:2}, at: return_to_handler+0x0/0x40\\nkernel: {IN-SOFTIRQ-W} state was registered at:\\nkernel:   lock_acquire+0xc7/0x2d0\\nkernel:   _raw_spin_lock+0x36/0x50\\nkernel:   ieee80211_tx_dequeue+0xb4/0x1330 [mac80211]\\nkernel:   iwl_mvm_mac_itxq_xmit+0xae/0x210 [iwlmvm]\\nkernel:   iwl_mvm_mac_wake_tx_queue+0x2d/0xd0 [iwlmvm]\\nkernel:   ieee80211_queue_skb+0x450/0x730 [mac80211]\\nkernel:   __ieee80211_xmit_fast.constprop.66+0x834/0xa50 [mac80211]\\nkernel:   __ieee80211_subif_start_xmit+0x217/0x530 [mac80211]\\nkernel:   ieee80211_subif_start_xmit+0x60/0x580 [mac80211]\\nkernel:   dev_hard_start_xmit+0xb5/0x260\\nkernel:   __dev_queue_xmit+0xdbe/0x1200\\nkernel:   neigh_resolve_output+0x166/0x260\\nkernel:   ip_finish_output2+0x216/0xb80\\nkernel:   __ip_finish_output+0x2a4/0x4d0\\nkernel:   ip_finish_output+0x2d/0xd0\\nkernel:   ip_output+0x82/0x2b0\\nkernel:   ip_local_out+0xec/0x110\\nkernel:   igmpv3_sendpack+0x5c/0x90\\nkernel:   igmp_ifc_timer_expire+0x26e/0x4e0\\nkernel:   call_timer_fn+0xa5/0x230\\nkernel:   run_timer_softirq+0x27f/0x550\\nkernel:   __do_softirq+0xb4/0x3a4\\nkernel:   irq_exit_rcu+0x9b/0xc0\\nkernel:   sysvec_apic_timer_interrupt+0x80/0xa0\\nkernel:   asm_sysvec_apic_timer_interrupt+0x1f/0x30\\nkernel:   _raw_spin_unlock_irqrestore+0x3f/0x70\\nkernel:   free_to_partial_list+0x3d6/0x590\\nkernel:   __slab_free+0x1b7/0x310\\nkernel:   kmem_cache_free+0x52d/0x550\\nkernel:   putname+0x5d/0x70\\nkernel:   do_sys_openat2+0x1d7/0x310\\nkernel:   do_sys_open+0x51/0x80\\nkernel:   __x64_sys_openat+0x24/0x30\\nkernel:   do_syscall_64+0x5c/0x90\\nkernel:   entry_SYSCALL_64_after_hwframe+0x72/0xdc\\nkernel: irq event stamp: 5120729\\nkernel: hardirqs last  enabled at (5120729): [\u003cffffffff9d149936\u003e] trace_graph_return+0xd6/0x120\\nkernel: hardirqs last disabled at (5120728): [\u003cffffffff9d149950\u003e] trace_graph_return+0xf0/0x120\\nkernel: softirqs last  enabled at (5069900): [\u003cffffffff9cf65b60\u003e] return_to_handler+0x0/0x40\\nkernel: softirqs last disabled at (5067555): [\u003cffffffff9cf65b60\u003e] return_to_handler+0x0/0x40\\nkernel:\\n        other info that might help us debug this:\\nkernel:  Possible unsafe locking scenario:\\nkernel:        CPU0\\nkernel:        ----\\nkernel:   lock(\u0026local-\u003equeue_stop_reason_lock);\\nkernel:   \u003cInterrupt\u003e\\nkernel:     lock(\u0026local-\u003equeue_stop_reason_lock);\\nkernel:\\n         *** DEADLOCK ***\\nkernel: 8 locks held by kworker/5:0/25656:\\nkernel:  #0: ffff9d618009d138 ((wq_completion)events_freezable){+.+.}-{0:0}, at: process_one_work+0x1ca/0x530\\nkernel:  #1: ffffb1ef4637fe68 ((work_completion)(\u0026local-\u003erestart_work)){+.+.}-{0:0}, at: process_one_work+0x1ce/0x530\\nkernel:  #2: ffffffff9f166548 (rtnl_mutex){+.+.}-{3:3}, at: return_to_handler+0x0/0x40\\nkernel:  #3: ffff9d619\\n---truncated---\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/6df3eafa31b3ee4f0cba601ca857019964355034\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/c79d794a2cd76eca47b2491c5030be9a6418c5d6\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ef6e1997da63ad0ac3fe33153fec9524c9ae56c9\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.