CVE-2023-54071
Description
In the Linux kernel, the following vulnerability has been resolved:
wifi: rtw88: use work to update rate to avoid RCU warning
The ieee80211_ops::sta_rc_update must be atomic, because ieee80211_chan_bw_change() holds rcu_read lock while calling drv_sta_rc_update(), so create a work to do original things.
Voluntary context switch within RCU read-side critical section! WARNING: CPU: 0 PID: 4621 at kernel/rcu/tree_plugin.h:318 rcu_note_context_switch+0x571/0x5d0 CPU: 0 PID: 4621 Comm: kworker/u16:2 Tainted: G W OE Workqueue: phy3 ieee80211_chswitch_work [mac80211] RIP: 0010:rcu_note_context_switch+0x571/0x5d0 Call Trace:
__schedule+0xb0/0x1460 ? __mod_timer+0x116/0x360 schedule+0x5a/0xc0 schedule_timeout+0x87/0x150 ? trace_raw_output_tick_stop+0x60/0x60 wait_for_completion_timeout+0x7b/0x140 usb_start_wait_urb+0x82/0x160 [usbcore usb_control_msg+0xe3/0x140 [usbcore rtw_usb_read+0x88/0xe0 [rtw_usb rtw_usb_read8+0xf/0x10 [rtw_usb rtw_fw_send_h2c_command+0xa0/0x170 [rtw_core rtw_fw_send_ra_info+0xc9/0xf0 [rtw_core drv_sta_rc_update+0x7c/0x160 [mac80211 ieee80211_chan_bw_change+0xfb/0x110 [mac80211 ieee80211_change_chanctx+0x38/0x130 [mac80211 ieee80211_vif_use_reserved_switch+0x34e/0x900 [mac80211 ieee80211_link_use_reserved_context+0x88/0xe0 [mac80211 ieee80211_chswitch_work+0x95/0x170 [mac80211 process_one_work+0x201/0x410 worker_thread+0x4a/0x3b0 ? process_one_work+0x410/0x410 kthread+0xe1/0x110 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x1f/0x30
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A Linux kernel wifi driver (rtw88) bug where a non-atomic operation in an RCU read-side critical section triggers a kernel warning, fixed by deferring rate update to a workqueue.
Vulnerability
Overview
In the Linux kernel's rtw88 wireless driver, the ieee80211_ops::sta_rc_update callback was implemented in a way that could perform a voluntary context switch (e.g., sleeping) while inside an RCU read-side critical section. This violates RCU rules and triggers a kernel warning: "Voluntary context switch within RCU read-side critical section!" [1].
Root
Cause and Exploitation
The issue occurs because ieee80211_chan_bw_change() holds an RCU read lock while calling drv_sta_rc_update(). The rtw88 driver's implementation of this callback could perform USB control message transfers (via rtw_usb_read8 and rtw_fw_send_h2c_command), which can sleep waiting for completion. This sleeping inside the RCU section leads to the warning. No special attacker prerequisites are needed; the bug can be triggered during normal channel switching operations in a wireless environment.
Impact
An attacker who can influence channel switching events (e.g., by sending appropriate wireless frames) could trigger this kernel warning repeatedly. While the warning itself does not directly cause a crash, it indicates a violation of kernel synchronization rules that could lead to unpredictable behavior or system instability. The call trace shows the path from ieee80211_chswitch_work through the driver's rate update code.
Mitigation
The fix, committed to the Linux kernel stable tree, moves the rate update work from the atomic RCU context to a workqueue, ensuring that sleeping operations are performed outside the RCU critical section [1]. Users should apply the kernel patch or update to a version containing commit 107677a8f43521e33e4a653e50fdf50fdf55ba622a4ce.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
3107677a8f435dd3af22323e7bcafcb959a57Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.