CVE-2023-54071 in Linux
Summary
by MITRE • 12/24/2025
In the Linux kernel, the following vulnerability has been resolved:
wifi: rtw88: use work to update rate to avoid RCU warning
The ieee80211_ops::sta_rc_update must be atomic, because ieee80211_chan_bw_change() holds rcu_read lock while calling drv_sta_rc_update(), so create a work to do original things.
Voluntary context switch within RCU read-side critical section! WARNING: CPU: 0 PID: 4621 at kernel/rcu/tree_plugin.h:318 rcu_note_context_switch+0x571/0x5d0 CPU: 0 PID: 4621 Comm: kworker/u16:2 Tainted: G W OE Workqueue: phy3 ieee80211_chswitch_work [mac80211]
RIP: 0010:rcu_note_context_switch+0x571/0x5d0 Call Trace: <TASK> __schedule+0xb0/0x1460 ? __mod_timer+0x116/0x360 schedule+0x5a/0xc0 schedule_timeout+0x87/0x150 ? trace_raw_output_tick_stop+0x60/0x60 wait_for_completion_timeout+0x7b/0x140 usb_start_wait_urb+0x82/0x160 [usbcore
usb_control_msg+0xe3/0x140 [usbcore
rtw_usb_read+0x88/0xe0 [rtw_usb
rtw_usb_read8+0xf/0x10 [rtw_usb
rtw_fw_send_h2c_command+0xa0/0x170 [rtw_core
rtw_fw_send_ra_info+0xc9/0xf0 [rtw_core
drv_sta_rc_update+0x7c/0x160 [mac80211
ieee80211_chan_bw_change+0xfb/0x110 [mac80211
ieee80211_change_chanctx+0x38/0x130 [mac80211
ieee80211_vif_use_reserved_switch+0x34e/0x900 [mac80211
ieee80211_link_use_reserved_context+0x88/0xe0 [mac80211
ieee80211_chswitch_work+0x95/0x170 [mac80211
process_one_work+0x201/0x410 worker_thread+0x4a/0x3b0 ? process_one_work+0x410/0x410 kthread+0xe1/0x110 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x1f/0x30 </TASK>
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 01/02/2026
The vulnerability CVE-2023-54071 addresses a critical issue within the linux kernel's wireless subsystem specifically affecting the rtw88 driver implementation. This flaw manifests as a violation of RCU (Read-Copy-Update) locking semantics during wireless rate control updates, creating potential system instability and security risks. The root cause lies in the improper handling of the ieee80211_ops::sta_rc_update function which must execute atomically according to kernel design principles. When ieee80211_chan_bw_change() invokes drv_sta_rc_update() while holding an RCU read lock, the system encounters a context switch within an RCU read-side critical section, triggering the kernel's RCU warning mechanism.
The technical execution path reveals a complex chain of function calls that ultimately leads to the problematic scenario. The warning originates from rcu_note_context_switch in kernel/rcu/tree_plugin.h at line 318, indicating that a voluntary context switch occurred while the RCU read lock was held. This situation is particularly concerning as it involves the kworker thread executing ieee80211_chswitch_work within the mac80211 subsystem, where the rtw88 driver attempts to perform operations that require USB communication through the rtw_usb_read8 function. The chain continues through firmware communication via rtw_fw_send_h2c_command and rtw_fw_send_ra_info functions, ultimately calling the problematic drv_sta_rc_update function that violates RCU locking requirements.
This vulnerability directly impacts the stability and reliability of wireless network operations within linux systems, particularly affecting devices using Realtek rtw88 wireless chipsets. The operational consequences extend beyond simple system warnings to potentially cause kernel panics or system hangs when the RCU subsystem detects the violation. The issue is classified under CWE-691 as an Insufficient Control Flow Management, specifically related to improper handling of concurrent access patterns. From an ATT&CK perspective, this vulnerability could be leveraged in privilege escalation scenarios or system stability degradation attacks, particularly targeting wireless network functionality.
The mitigation strategy implemented in the fix involves creating a work queue mechanism to defer the rate control update operations outside of the RCU critical section. This approach ensures that the sta_rc_update function executes atomically without holding RCU locks during potentially blocking operations. The solution follows established kernel development practices for handling RCU violations by separating atomic operations from blocking I/O operations. This remediation addresses the core issue by ensuring that rate control updates occur in a work context, thereby preventing voluntary context switches within RCU read-side critical sections. The fix aligns with the kernel's recommended practices for maintaining RCU lock discipline and prevents the kernel from triggering its built-in RCU warning mechanisms that could lead to system instability.