CVE-2023-53764
Description
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath12k: Handle lock during peer_id find
ath12k_peer_find_by_id() requires that the caller hold the ab->base_lock. Currently the WBM error path does not hold the lock and calling that function, leads to the following lockdep_assert()in QCN9274:
[105162.160893] ------------[ cut here ]------------ [105162.160916] WARNING: CPU: 3 PID: 0 at drivers/net/wireless/ath/ath12k/peer.c:71 ath12k_peer_find_by_id+0x52/0x60 [ath12k] [105162.160933] Modules linked in: ath12k(O) qrtr_mhi qrtr mac80211 cfg80211 mhi qmi_helpers libarc4 nvme nvme_core [last unloaded: ath12k(O)] [105162.160967] CPU: 3 PID: 0 Comm: swapper/3 Tainted: G W O 6.1.0-rc2+ #3 [105162.160972] Hardware name: Intel(R) Client Systems NUC8i7HVK/NUC8i7HVB, BIOS HNKBLi70.86A.0056.2019.0506.1527 05/06/2019 [105162.160977] RIP: 0010:ath12k_peer_find_by_id+0x52/0x60 [ath12k] [105162.160990] Code: 07 eb 0f 39 68 24 74 0a 48 8b 00 48 39 f8 75 f3 31 c0 5b 5d c3 48 8d bf b0 f2 00 00 be ff ff ff ff e8 22 20 c4 e2 85 c0 75 bf <0f> 0b eb bb 66 2e 0f 1f 84 00 00 00 00 00 41 54 4c 8d a7 98 f2 00 [105162.160996] RSP: 0018:ffffa223001acc60 EFLAGS: 00010246 [105162.161003] RAX: 0000000000000000 RBX: ffff9f0573940000 RCX: 0000000000000000 [105162.161008] RDX: 0000000000000001 RSI: ffffffffa3951c8e RDI: ffffffffa39a96d7 [105162.161013] RBP: 000000000000000a R08: 0000000000000000 R09: 0000000000000000 [105162.161017] R10: ffffa223001acb40 R11: ffffffffa3d57c60 R12: ffff9f057394f2e0 [105162.161022] R13: ffff9f0573940000 R14: ffff9f04ecd659c0 R15: ffff9f04d5a9b040 [105162.161026] FS: 0000000000000000(0000) GS:ffff9f0575600000(0000) knlGS:0000000000000000 [105162.161031] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [105162.161036] CR2: 00001d5c8277a008 CR3: 00000001e6224006 CR4: 00000000003706e0 [105162.161041] Call Trace: [105162.161046] [105162.161051] ath12k_dp_rx_process_wbm_err+0x6da/0xaf0 [ath12k] [105162.161072] ? ath12k_dp_rx_process_err+0x80e/0x15a0 [ath12k] [105162.161084] ? __lock_acquire+0x4ca/0x1a60 [105162.161104] ath12k_dp_service_srng+0x263/0x310 [ath12k] [105162.161120] ath12k_pci_ext_grp_napi_poll+0x1c/0x70 [ath12k] [105162.161133] __napi_poll+0x22/0x260 [105162.161141] net_rx_action+0x2f8/0x380 [105162.161153] __do_softirq+0xd0/0x4c9 [105162.161162] irq_exit_rcu+0x88/0xe0 [105162.161169] common_interrupt+0xa5/0xc0 [105162.161174] [105162.161179] [105162.161184] asm_common_interrupt+0x22/0x40
Handle spin lock/unlock in WBM error path to hold the necessary lock expected by ath12k_peer_find_by_id().
Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0-03171-QCAHKSWPL_SILICONZ-1
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A missing lock in ath12k driver causes a lockdep assertion when processing WBM errors, potentially leading to deadlock or crash.
Vulnerability
In the Linux kernel's ath12k wireless driver, the function ath12k_peer_find_by_id() requires that the caller hold the ab->base_lock. However, the WBM (Wireless Buffer Management) error path does not acquire this lock before calling the function, triggering a lockdep assertion [1]. This was observed on QCN9274 hardware.
Exploitation
The vulnerability is triggered during the processing of WBM error frames in the driver's data path. An attacker with the ability to inject malformed or error-inducing frames over the air could cause the driver to enter the WBM error path, leading to the lock assertion and potential system instability. The flaw exists in the kernel's handling of peer lookup without proper synchronization.
Impact
If exploited, the missing lock can cause a kernel warning (as shown in the trace) and potentially lead to a deadlock or system crash due to unprotected access to shared data structures. This could result in denial of service (DoS) or further exploitation if the system becomes unstable.
Mitigation
The issue is resolved by committing the fix that ensures ab->base_lock is held before calling ath12k_peer_find_by_id() in the WBM error path. Users should update their kernel to include the stable commit referenced [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
29faf7c69661095a389e2ff32Vulnerability mechanics
Root cause
"Missing spin_lock acquisition before calling ath12k_peer_find_by_id() in the WBM error path violates the lock assertion on ab->base_lock."
Attack vector
An attacker can trigger the WBM (WBM) error path by sending malformed or corrupted frames over the wireless medium to a QCN9274-based device. When the driver processes the WBM error in ath12k_dp_rx_process_wbm_err(), it calls ath12k_peer_find_by_id() without holding ab->base_lock, causing a lockdep assertion failure and kernel WARNING. This is reachable from an unauthenticated adjacent attacker who can inject or manipulate 802.11 frames.
Affected code
The vulnerable code is in drivers/net/wireless/ath/ath12k/peer.c at function ath12k_peer_find_by_id() (line 71), which asserts ab->base_lock must be held. The caller ath12k_dp_rx_process_wbm_err() in the DP RX path fails to acquire this lock before calling the function.
What the fix does
The patch adds spin_lock_bh(&ab->base_lock) and spin_unlock_bh(&ab->base_lock) around the call to ath12k_peer_find_by_id() in the WBM error path of ath12k_dp_rx_process_wbm_err(). This ensures the lock is held as required by the callee's lockdep assertion [patch_id=3713][patch_id=3714]. Without this fix, any WBM error processing triggers a kernel warning and potential instability.
Preconditions
- networkAttacker must be within wireless range of a device using the ath12k driver (e.g., QCN9274)
- inputAttacker must send or cause corrupted/malformed 802.11 frames that trigger the WBM error processing path
Generated on May 18, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.