GHSA-3V5G-MC4J-7VR8

Vulnerability from github – Published: 2025-12-30 15:30 – Updated: 2025-12-30 15:30
VLAI?
Details

In the Linux kernel, the following vulnerability has been resolved:

wifi: mac80211: fortify the spinlock against deadlock by interrupt

In the function ieee80211_tx_dequeue() there is a particular locking sequence:

begin: spin_lock(&local->queue_stop_reason_lock); q_stopped = local->queue_stop_reasons[q]; spin_unlock(&local->queue_stop_reason_lock);

However small the chance (increased by ftracetest), an asynchronous interrupt can occur in between of spin_lock() and spin_unlock(), and the interrupt routine will attempt to lock the same &local->queue_stop_reason_lock again.

This will cause a costly reset of the CPU and the wifi device or an altogether hang in the single CPU and single core scenario.

The only remaining spin_lock(&local->queue_stop_reason_lock) that did not disable interrupts was patched, which should prevent any deadlocks on the same CPU/core and the same wifi device.

This is the probable trace of the deadlock:

kernel: ================================ kernel: WARNING: inconsistent lock state kernel: 6.3.0-rc6-mt-20230401-00001-gf86822a1170f #4 Tainted: G W kernel: -------------------------------- kernel: inconsistent {IN-SOFTIRQ-W} -> {SOFTIRQ-ON-W} usage. kernel: kworker/5:0/25656 [HC0[0]:SC0[0]:HE1:SE1] takes: kernel: ffff9d6190779478 (&local->queue_stop_reason_lock){+.?.}-{2:2}, at: return_to_handler+0x0/0x40 kernel: {IN-SOFTIRQ-W} state was registered at: kernel: lock_acquire+0xc7/0x2d0 kernel: _raw_spin_lock+0x36/0x50 kernel: ieee80211_tx_dequeue+0xb4/0x1330 [mac80211] kernel: iwl_mvm_mac_itxq_xmit+0xae/0x210 [iwlmvm] kernel: iwl_mvm_mac_wake_tx_queue+0x2d/0xd0 [iwlmvm] kernel: ieee80211_queue_skb+0x450/0x730 [mac80211] kernel: __ieee80211_xmit_fast.constprop.66+0x834/0xa50 [mac80211] kernel: __ieee80211_subif_start_xmit+0x217/0x530 [mac80211] kernel: ieee80211_subif_start_xmit+0x60/0x580 [mac80211] kernel: dev_hard_start_xmit+0xb5/0x260 kernel: __dev_queue_xmit+0xdbe/0x1200 kernel: neigh_resolve_output+0x166/0x260 kernel: ip_finish_output2+0x216/0xb80 kernel: __ip_finish_output+0x2a4/0x4d0 kernel: ip_finish_output+0x2d/0xd0 kernel: ip_output+0x82/0x2b0 kernel: ip_local_out+0xec/0x110 kernel: igmpv3_sendpack+0x5c/0x90 kernel: igmp_ifc_timer_expire+0x26e/0x4e0 kernel: call_timer_fn+0xa5/0x230 kernel: run_timer_softirq+0x27f/0x550 kernel: __do_softirq+0xb4/0x3a4 kernel: irq_exit_rcu+0x9b/0xc0 kernel: sysvec_apic_timer_interrupt+0x80/0xa0 kernel: asm_sysvec_apic_timer_interrupt+0x1f/0x30 kernel: _raw_spin_unlock_irqrestore+0x3f/0x70 kernel: free_to_partial_list+0x3d6/0x590 kernel: __slab_free+0x1b7/0x310 kernel: kmem_cache_free+0x52d/0x550 kernel: putname+0x5d/0x70 kernel: do_sys_openat2+0x1d7/0x310 kernel: do_sys_open+0x51/0x80 kernel: __x64_sys_openat+0x24/0x30 kernel: do_syscall_64+0x5c/0x90 kernel: entry_SYSCALL_64_after_hwframe+0x72/0xdc kernel: irq event stamp: 5120729 kernel: hardirqs last enabled at (5120729): [] trace_graph_return+0xd6/0x120 kernel: hardirqs last disabled at (5120728): [] trace_graph_return+0xf0/0x120 kernel: softirqs last enabled at (5069900): [] return_to_handler+0x0/0x40 kernel: softirqs last disabled at (5067555): [] return_to_handler+0x0/0x40 kernel: other info that might help us debug this: kernel: Possible unsafe locking scenario: kernel: CPU0 kernel: ---- kernel: lock(&local->queue_stop_reason_lock); kernel: kernel: lock(&local->queue_stop_reason_lock); kernel: *** DEADLOCK *** kernel: 8 locks held by kworker/5:0/25656: kernel: #0: ffff9d618009d138 ((wq_completion)events_freezable){+.+.}-{0:0}, at: process_one_work+0x1ca/0x530 kernel: #1: ffffb1ef4637fe68 ((work_completion)(&local->restart_work)){+.+.}-{0:0}, at: process_one_work+0x1ce/0x530 kernel: #2: ffffffff9f166548 (rtnl_mutex){+.+.}-{3:3}, at: return_to_handler+0x0/0x40 kernel: #3: ffff9d619 ---truncated---

Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2023-54288"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-30T13:16:17Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: fortify the spinlock against deadlock by interrupt\n\nIn the function ieee80211_tx_dequeue() there is a particular locking\nsequence:\n\nbegin:\n\tspin_lock(\u0026local-\u003equeue_stop_reason_lock);\n\tq_stopped = local-\u003equeue_stop_reasons[q];\n\tspin_unlock(\u0026local-\u003equeue_stop_reason_lock);\n\nHowever small the chance (increased by ftracetest), an asynchronous\ninterrupt can occur in between of spin_lock() and spin_unlock(),\nand the interrupt routine will attempt to lock the same\n\u0026local-\u003equeue_stop_reason_lock again.\n\nThis will cause a costly reset of the CPU and the wifi device or an\naltogether hang in the single CPU and single core scenario.\n\nThe only remaining spin_lock(\u0026local-\u003equeue_stop_reason_lock) that\ndid not disable interrupts was patched, which should prevent any\ndeadlocks on the same CPU/core and the same wifi device.\n\nThis is the probable trace of the deadlock:\n\nkernel: ================================\nkernel: WARNING: inconsistent lock state\nkernel: 6.3.0-rc6-mt-20230401-00001-gf86822a1170f #4 Tainted: G        W\nkernel: --------------------------------\nkernel: inconsistent {IN-SOFTIRQ-W} -\u003e {SOFTIRQ-ON-W} usage.\nkernel: kworker/5:0/25656 [HC0[0]:SC0[0]:HE1:SE1] takes:\nkernel: ffff9d6190779478 (\u0026local-\u003equeue_stop_reason_lock){+.?.}-{2:2}, at: return_to_handler+0x0/0x40\nkernel: {IN-SOFTIRQ-W} state was registered at:\nkernel:   lock_acquire+0xc7/0x2d0\nkernel:   _raw_spin_lock+0x36/0x50\nkernel:   ieee80211_tx_dequeue+0xb4/0x1330 [mac80211]\nkernel:   iwl_mvm_mac_itxq_xmit+0xae/0x210 [iwlmvm]\nkernel:   iwl_mvm_mac_wake_tx_queue+0x2d/0xd0 [iwlmvm]\nkernel:   ieee80211_queue_skb+0x450/0x730 [mac80211]\nkernel:   __ieee80211_xmit_fast.constprop.66+0x834/0xa50 [mac80211]\nkernel:   __ieee80211_subif_start_xmit+0x217/0x530 [mac80211]\nkernel:   ieee80211_subif_start_xmit+0x60/0x580 [mac80211]\nkernel:   dev_hard_start_xmit+0xb5/0x260\nkernel:   __dev_queue_xmit+0xdbe/0x1200\nkernel:   neigh_resolve_output+0x166/0x260\nkernel:   ip_finish_output2+0x216/0xb80\nkernel:   __ip_finish_output+0x2a4/0x4d0\nkernel:   ip_finish_output+0x2d/0xd0\nkernel:   ip_output+0x82/0x2b0\nkernel:   ip_local_out+0xec/0x110\nkernel:   igmpv3_sendpack+0x5c/0x90\nkernel:   igmp_ifc_timer_expire+0x26e/0x4e0\nkernel:   call_timer_fn+0xa5/0x230\nkernel:   run_timer_softirq+0x27f/0x550\nkernel:   __do_softirq+0xb4/0x3a4\nkernel:   irq_exit_rcu+0x9b/0xc0\nkernel:   sysvec_apic_timer_interrupt+0x80/0xa0\nkernel:   asm_sysvec_apic_timer_interrupt+0x1f/0x30\nkernel:   _raw_spin_unlock_irqrestore+0x3f/0x70\nkernel:   free_to_partial_list+0x3d6/0x590\nkernel:   __slab_free+0x1b7/0x310\nkernel:   kmem_cache_free+0x52d/0x550\nkernel:   putname+0x5d/0x70\nkernel:   do_sys_openat2+0x1d7/0x310\nkernel:   do_sys_open+0x51/0x80\nkernel:   __x64_sys_openat+0x24/0x30\nkernel:   do_syscall_64+0x5c/0x90\nkernel:   entry_SYSCALL_64_after_hwframe+0x72/0xdc\nkernel: irq event stamp: 5120729\nkernel: hardirqs last  enabled at (5120729): [\u003cffffffff9d149936\u003e] trace_graph_return+0xd6/0x120\nkernel: hardirqs last disabled at (5120728): [\u003cffffffff9d149950\u003e] trace_graph_return+0xf0/0x120\nkernel: softirqs last  enabled at (5069900): [\u003cffffffff9cf65b60\u003e] return_to_handler+0x0/0x40\nkernel: softirqs last disabled at (5067555): [\u003cffffffff9cf65b60\u003e] return_to_handler+0x0/0x40\nkernel:\n        other info that might help us debug this:\nkernel:  Possible unsafe locking scenario:\nkernel:        CPU0\nkernel:        ----\nkernel:   lock(\u0026local-\u003equeue_stop_reason_lock);\nkernel:   \u003cInterrupt\u003e\nkernel:     lock(\u0026local-\u003equeue_stop_reason_lock);\nkernel:\n         *** DEADLOCK ***\nkernel: 8 locks held by kworker/5:0/25656:\nkernel:  #0: ffff9d618009d138 ((wq_completion)events_freezable){+.+.}-{0:0}, at: process_one_work+0x1ca/0x530\nkernel:  #1: ffffb1ef4637fe68 ((work_completion)(\u0026local-\u003erestart_work)){+.+.}-{0:0}, at: process_one_work+0x1ce/0x530\nkernel:  #2: ffffffff9f166548 (rtnl_mutex){+.+.}-{3:3}, at: return_to_handler+0x0/0x40\nkernel:  #3: ffff9d619\n---truncated---",
  "id": "GHSA-3v5g-mc4j-7vr8",
  "modified": "2025-12-30T15:30:34Z",
  "published": "2025-12-30T15:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-54288"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6df3eafa31b3ee4f0cba601ca857019964355034"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c79d794a2cd76eca47b2491c5030be9a6418c5d6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ef6e1997da63ad0ac3fe33153fec9524c9ae56c9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.