{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2023-54288", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-12-30T12:06:44.526Z", "datePublished": "2025-12-30T12:23:27.765Z", "dateUpdated": "2025-12-30T12:23:27.765Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-12-30T12:23:27.765Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: fortify the spinlock against deadlock by interrupt\n\nIn the function ieee80211_tx_dequeue() there is a particular locking\nsequence:\n\nbegin:\n\tspin_lock(&local->queue_stop_reason_lock);\n\tq_stopped = local->queue_stop_reasons[q];\n\tspin_unlock(&local->queue_stop_reason_lock);\n\nHowever small the chance (increased by ftracetest), an asynchronous\ninterrupt can occur in between of spin_lock() and spin_unlock(),\nand the interrupt routine will attempt to lock the same\n&local->queue_stop_reason_lock again.\n\nThis will cause a costly reset of the CPU and the wifi device or an\naltogether hang in the single CPU and single core scenario.\n\nThe only remaining spin_lock(&local->queue_stop_reason_lock) that\ndid not disable interrupts was patched, which should prevent any\ndeadlocks on the same CPU/core and the same wifi device.\n\nThis is the probable trace of the deadlock:\n\nkernel: ================================\nkernel: WARNING: inconsistent lock state\nkernel: 6.3.0-rc6-mt-20230401-00001-gf86822a1170f #4 Tainted: G W\nkernel: --------------------------------\nkernel: inconsistent {IN-SOFTIRQ-W} -> {SOFTIRQ-ON-W} usage.\nkernel: kworker/5:0/25656 [HC0[0]:SC0[0]:HE1:SE1] takes:\nkernel: ffff9d6190779478 (&local->queue_stop_reason_lock){+.?.}-{2:2}, at: return_to_handler+0x0/0x40\nkernel: {IN-SOFTIRQ-W} state was registered at:\nkernel: lock_acquire+0xc7/0x2d0\nkernel: _raw_spin_lock+0x36/0x50\nkernel: ieee80211_tx_dequeue+0xb4/0x1330 [mac80211]\nkernel: iwl_mvm_mac_itxq_xmit+0xae/0x210 [iwlmvm]\nkernel: iwl_mvm_mac_wake_tx_queue+0x2d/0xd0 [iwlmvm]\nkernel: ieee80211_queue_skb+0x450/0x730 [mac80211]\nkernel: __ieee80211_xmit_fast.constprop.66+0x834/0xa50 [mac80211]\nkernel: __ieee80211_subif_start_xmit+0x217/0x530 [mac80211]\nkernel: ieee80211_subif_start_xmit+0x60/0x580 [mac80211]\nkernel: dev_hard_start_xmit+0xb5/0x260\nkernel: __dev_queue_xmit+0xdbe/0x1200\nkernel: neigh_resolve_output+0x166/0x260\nkernel: ip_finish_output2+0x216/0xb80\nkernel: __ip_finish_output+0x2a4/0x4d0\nkernel: ip_finish_output+0x2d/0xd0\nkernel: ip_output+0x82/0x2b0\nkernel: ip_local_out+0xec/0x110\nkernel: igmpv3_sendpack+0x5c/0x90\nkernel: igmp_ifc_timer_expire+0x26e/0x4e0\nkernel: call_timer_fn+0xa5/0x230\nkernel: run_timer_softirq+0x27f/0x550\nkernel: __do_softirq+0xb4/0x3a4\nkernel: irq_exit_rcu+0x9b/0xc0\nkernel: sysvec_apic_timer_interrupt+0x80/0xa0\nkernel: asm_sysvec_apic_timer_interrupt+0x1f/0x30\nkernel: _raw_spin_unlock_irqrestore+0x3f/0x70\nkernel: free_to_partial_list+0x3d6/0x590\nkernel: __slab_free+0x1b7/0x310\nkernel: kmem_cache_free+0x52d/0x550\nkernel: putname+0x5d/0x70\nkernel: do_sys_openat2+0x1d7/0x310\nkernel: do_sys_open+0x51/0x80\nkernel: __x64_sys_openat+0x24/0x30\nkernel: do_syscall_64+0x5c/0x90\nkernel: entry_SYSCALL_64_after_hwframe+0x72/0xdc\nkernel: irq event stamp: 5120729\nkernel: hardirqs last enabled at (5120729): [<ffffffff9d149936>] trace_graph_return+0xd6/0x120\nkernel: hardirqs last disabled at (5120728): [<ffffffff9d149950>] trace_graph_return+0xf0/0x120\nkernel: softirqs last enabled at (5069900): [<ffffffff9cf65b60>] return_to_handler+0x0/0x40\nkernel: softirqs last disabled at (5067555): [<ffffffff9cf65b60>] return_to_handler+0x0/0x40\nkernel:\n other info that might help us debug this:\nkernel: Possible unsafe locking scenario:\nkernel: CPU0\nkernel: ----\nkernel: lock(&local->queue_stop_reason_lock);\nkernel: <Interrupt>\nkernel: lock(&local->queue_stop_reason_lock);\nkernel:\n *** DEADLOCK ***\nkernel: 8 locks held by kworker/5:0/25656:\nkernel: #0: ffff9d618009d138 ((wq_completion)events_freezable){+.+.}-{0:0}, at: process_one_work+0x1ca/0x530\nkernel: #1: ffffb1ef4637fe68 ((work_completion)(&local->restart_work)){+.+.}-{0:0}, at: process_one_work+0x1ce/0x530\nkernel: #2: ffffffff9f166548 (rtnl_mutex){+.+.}-{3:3}, at: return_to_handler+0x0/0x40\nkernel: #3: ffff9d619\n---truncated---"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/mac80211/tx.c"], "versions": [{"version": "7b8fe53d2a1da48db02ae961b29b8ee2f5515861", "lessThan": "c79d794a2cd76eca47b2491c5030be9a6418c5d6", "status": "affected", "versionType": "git"}, {"version": "4444bc2116aecdcde87dce80373540adc8bd478b", "lessThan": "6df3eafa31b3ee4f0cba601ca857019964355034", "status": "affected", "versionType": "git"}, {"version": "4444bc2116aecdcde87dce80373540adc8bd478b", "lessThan": "ef6e1997da63ad0ac3fe33153fec9524c9ae56c9", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/mac80211/tx.c"], "versions": [{"version": "6.2", "status": "affected"}, {"version": "0", "lessThan": "6.2", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.30", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.3.4", "lessThanOrEqual": "6.3.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.4", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1.9", "versionEndExcluding": "6.1.30"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.3.4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.4"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/c79d794a2cd76eca47b2491c5030be9a6418c5d6"}, {"url": "https://git.kernel.org/stable/c/6df3eafa31b3ee4f0cba601ca857019964355034"}, {"url": "https://git.kernel.org/stable/c/ef6e1997da63ad0ac3fe33153fec9524c9ae56c9"}], "title": "wifi: mac80211: fortify the spinlock against deadlock by interrupt", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: fortify the spinlock against deadlock by interrupt\n\nIn the function ieee80211_tx_dequeue() there is a particular locking\nsequence:\n\nbegin:\n\tspin_lock(&local->queue_stop_reason_lock);\n\tq_stopped = local->queue_stop_reasons[q];\n\tspin_unlock(&local->queue_stop_reason_lock);\n\nHowever small the chance (increased by ftracetest), an asynchronous\ninterrupt can occur in between of spin_lock() and spin_unlock(),\nand the interrupt routine will attempt to lock the same\n&local->queue_stop_reason_lock again.\n\nThis will cause a costly reset of the CPU and the wifi device or an\naltogether hang in the single CPU and single core scenario.\n\nThe only remaining spin_lock(&local->queue_stop_reason_lock) that\ndid not disable interrupts was patched, which should prevent any\ndeadlocks on the same CPU/core and the same wifi device.\n\nThis is the probable trace of the deadlock:\n\nkernel: ================================\nkernel: WARNING: inconsistent lock state\nkernel: 6.3.0-rc6-mt-20230401-00001-gf86822a1170f #4 Tainted: G W\nkernel: --------------------------------\nkernel: inconsistent {IN-SOFTIRQ-W} -> {SOFTIRQ-ON-W} usage.\nkernel: kworker/5:0/25656 [HC0[0]:SC0[0]:HE1:SE1] takes:\nkernel: ffff9d6190779478 (&local->queue_stop_reason_lock){+.?.}-{2:2}, at: return_to_handler+0x0/0x40\nkernel: {IN-SOFTIRQ-W} state was registered at:\nkernel: lock_acquire+0xc7/0x2d0\nkernel: _raw_spin_lock+0x36/0x50\nkernel: ieee80211_tx_dequeue+0xb4/0x1330 [mac80211]\nkernel: iwl_mvm_mac_itxq_xmit+0xae/0x210 [iwlmvm]\nkernel: iwl_mvm_mac_wake_tx_queue+0x2d/0xd0 [iwlmvm]\nkernel: ieee80211_queue_skb+0x450/0x730 [mac80211]\nkernel: __ieee80211_xmit_fast.constprop.66+0x834/0xa50 [mac80211]\nkernel: __ieee80211_subif_start_xmit+0x217/0x530 [mac80211]\nkernel: ieee80211_subif_start_xmit+0x60/0x580 [mac80211]\nkernel: dev_hard_start_xmit+0xb5/0x260\nkernel: __dev_queue_xmit+0xdbe/0x1200\nkernel: neigh_resolve_output+0x166/0x260\nkernel: ip_finish_output2+0x216/0xb80\nkernel: __ip_finish_output+0x2a4/0x4d0\nkernel: ip_finish_output+0x2d/0xd0\nkernel: ip_output+0x82/0x2b0\nkernel: ip_local_out+0xec/0x110\nkernel: igmpv3_sendpack+0x5c/0x90\nkernel: igmp_ifc_timer_expire+0x26e/0x4e0\nkernel: call_timer_fn+0xa5/0x230\nkernel: run_timer_softirq+0x27f/0x550\nkernel: __do_softirq+0xb4/0x3a4\nkernel: irq_exit_rcu+0x9b/0xc0\nkernel: sysvec_apic_timer_interrupt+0x80/0xa0\nkernel: asm_sysvec_apic_timer_interrupt+0x1f/0x30\nkernel: _raw_spin_unlock_irqrestore+0x3f/0x70\nkernel: free_to_partial_list+0x3d6/0x590\nkernel: __slab_free+0x1b7/0x310\nkernel: kmem_cache_free+0x52d/0x550\nkernel: putname+0x5d/0x70\nkernel: do_sys_openat2+0x1d7/0x310\nkernel: do_sys_open+0x51/0x80\nkernel: __x64_sys_openat+0x24/0x30\nkernel: do_syscall_64+0x5c/0x90\nkernel: entry_SYSCALL_64_after_hwframe+0x72/0xdc\nkernel: irq event stamp: 5120729\nkernel: hardirqs last enabled at (5120729): [<ffffffff9d149936>] trace_graph_return+0xd6/0x120\nkernel: hardirqs last disabled at (5120728): [<ffffffff9d149950>] trace_graph_return+0xf0/0x120\nkernel: softirqs last enabled at (5069900): [<ffffffff9cf65b60>] return_to_handler+0x0/0x40\nkernel: softirqs last disabled at (5067555): [<ffffffff9cf65b60>] return_to_handler+0x0/0x40\nkernel:\n other info that might help us debug this:\nkernel: Possible unsafe locking scenario:\nkernel: CPU0\nkernel: ----\nkernel: lock(&local->queue_stop_reason_lock);\nkernel: <Interrupt>\nkernel: lock(&local->queue_stop_reason_lock);\nkernel:\n *** DEADLOCK ***\nkernel: 8 locks held by kworker/5:0/25656:\nkernel: #0: ffff9d618009d138 ((wq_completion)events_freezable){+.+.}-{0:0}, at: process_one_work+0x1ca/0x530\nkernel: #1: ffffb1ef4637fe68 ((work_completion)(&local->restart_work)){+.+.}-{0:0}, at: process_one_work+0x1ce/0x530\nkernel: #2: ffffffff9f166548 (rtnl_mutex){+.+.}-{3:3}, at: return_to_handler+0x0/0x40\nkernel: #3: ffff9d619\n---truncated---"}], "id": "CVE-2023-54288", "lastModified": "2025-12-30T13:16:17.833", "metrics": {}, "published": "2025-12-30T13:16:17.833", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6df3eafa31b3ee4f0cba601ca857019964355034"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c79d794a2cd76eca47b2491c5030be9a6418c5d6"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ef6e1997da63ad0ac3fe33153fec9524c9ae56c9"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{}