CVE-2023-54225
Description
In the Linux kernel, the following vulnerability has been resolved:
net: ipa: only reset hashed tables when supported
Last year, the code that manages GSI channel transactions switched from using spinlock-protected linked lists to using indexes into the ring buffer used for a channel. Recently, Google reported seeing transaction reference count underflows occasionally during shutdown.
Doug Anderson found a way to reproduce the issue reliably, and bisected the issue to the commit that eliminated the linked lists and the lock. The root cause was ultimately determined to be related to unused transactions being committed as part of the modem shutdown cleanup activity. Unused transactions are not normally expected (except in error cases).
The modem uses some ranges of IPA-resident memory, and whenever it shuts down we zero those ranges. In ipa_filter_reset_table() a transaction is allocated to zero modem filter table entries. If hashing is not supported, hashed table memory should not be zeroed. But currently nothing prevents that, and the result is an unused transaction. Something similar occurs when we zero routing table entries for the modem.
By preventing any attempt to clear hashed tables when hashing is not supported, the reference count underflow is avoided in this case.
Note that there likely remains an issue with properly freeing unused transactions (if they occur due to errors). This patch addresses only the underflows that Google originally reported.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel's IPA driver, a missing check for hashing support leads to unused transactions and a reference count underflow during modem shutdown.
Root
Cause
In the Linux kernel's IPA (IP Accelerator) driver, the ipa_filter_reset_table() function unconditionally attempts to zero hashed filter table entries, even when the hardware does not support hashing. This results in the allocation of a transaction that is never used, leading to a reference count underflow during modem shutdown cleanup. The issue was exposed after a prior change replaced spinlock-protected linked lists with ring buffer indices, which made the underflow symptoms visible [1].
Attack
Vector and Prerequisites
The vulnerability is triggered during the modem shutdown sequence, when the driver zeros IPA-resident memory ranges used by the modem. No user authentication or special privilege is required to trigger the issue; it occurs as a normal part of the modem shutdown path. The attack surface is limited to systems running the affected kernel version with the IPA driver enabled [1].
Impact
An attacker with the ability to trigger repeated modem shutdowns could cause a reference count underflow, potentially leading to a use-after-free condition or kernel panic. The official report indicates that Google observed transaction reference count underflows, and Doug Anderson reliably reproduced the issue. The immediate impact is system instability and potential denial of service [1].
Mitigation
The vulnerability is fixed in the Linux kernel by adding a check for hash_supported before attempting to clear hashed table entries. The fix is included in the stable kernel tree. No workarounds are documented; users should apply the kernel patch to resolve the reference count underflow [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
350c24f0c9407c00af3a818cce11ec2b868afVulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.