VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 30, 2025· Updated Apr 15, 2026

CVE-2023-54259

CVE-2023-54259

Description

In the Linux kernel, the following vulnerability has been resolved:

soundwire: bus: Fix unbalanced pm_runtime_put() causing usage count underflow

This reverts commit 443a98e649b4 ("soundwire: bus: use pm_runtime_resume_and_get()")

Change calls to pm_runtime_resume_and_get() back to pm_runtime_get_sync(). This fixes a usage count underrun caused by doing a pm_runtime_put() even though pm_runtime_resume_and_get() returned an error.

The three affected functions ignore -EACCES error from trying to get pm_runtime, and carry on, including a put at the end of the function. But pm_runtime_resume_and_get() does not increment the usage count if it returns an error. So in the -EACCES case you must not call pm_runtime_put().

The documentation for pm_runtime_get_sync() says: "Consider using pm_runtime_resume_and_get() ... as this is likely to result in cleaner code."

In this case I don't think it results in cleaner code because the pm_runtime_put() at the end of the function would have to be conditional on the return value from pm_runtime_resume_and_get() at the top of the function.

pm_runtime_get_sync() doesn't have this problem because it always increments the count, so always needs a put. The code can just flow through and do the pm_runtime_put() unconditionally.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In the Linux kernel's soundwire bus, a revert fixes a pm_runtime usage count underflow caused by improper error handling after pm_runtime_resume_and_get() fails.

A vulnerability in the Linux kernel's soundwire bus driver leads to an unbalanced pm_runtime_put() call, causing a usage count underflow. The issue was introduced by commit 443a98e649b4, which changed pm_runtime_get_sync() to pm_runtime_resume_and_get() in three functions: __sdw_prepare_switch(), sdw_handle_slave_status(), and sdw_bus_master_add(). Unlike pm_runtime_get_sync(), pm_runtime_resume_and_get() does not increment the usage count when it returns an error (e.g., -EACCES). However, the affected functions continued to call pm_runtime_put() unconditionally, resulting in a usage count underflow [1].

To exploit this vulnerability, an attacker would need to trigger the error condition in one of these functions, potentially through controlled interactions with SoundWire devices. The bug manifests when pm_runtime_resume_and_get() returns -EACCES, which occurs if the runtime PM callback returns that error. Under normal operation, this could happen due to device power state transitions, but a malicious actor with local access might force such conditions to destabilize the system.

The primary impact is denial of service due to the usage count underflow. A negative usage count can lead to erratic runtime PM behavior, potentially causing device suspend/resume cycles to fail, resulting in system instability or resource unavailability. The vulnerability does not directly allow privilege escalation or data corruption.

The fix is a revert of the problematic commit, restoring pm_runtime_get_sync() in the three functions. This ensures that the usage count is always incremented, making the subsequent pm_runtime_put() safe. The patch is included in kernel stable updates [1]. No workaround is provided; applying the update is recommended.

References
  1. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

3
4e5e9da139c0
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
203aa4374c43
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
e9537962519e
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Root cause

"Incorrect usage of pm_runtime_resume_and_get() leads to an unbalanced pm_runtime_put() call when an error occurs, causing a usage count underflow."

Attack vector

An attacker can trigger this vulnerability by causing the SoundWire bus to encounter an error condition, such as -EACCES, during a runtime power management operation. Because the affected functions incorrectly perform a `pm_runtime_put()` even when the initial `pm_runtime_resume_and_get()` call fails, the runtime usage count is decremented incorrectly [patch_id=5489, patch_id=5490, patch_id=5491]. This leads to a usage count underflow, potentially destabilizing the power management state of the SoundWire subsystem.

What the fix does

The patch reverts the use of `pm_runtime_resume_and_get()` and returns to using `pm_runtime_get_sync()` [patch_id=5489, patch_id=5490, patch_id=5491]. Unlike `pm_runtime_resume_and_get()`, `pm_runtime_get_sync()` consistently increments the usage count regardless of the return value, allowing for an unconditional `pm_runtime_put()` at the end of the function. This prevents the usage count underflow that occurred when the code attempted to decrement a count that was never incremented due to an error.

Preconditions

  • configThe system must be using a kernel version where the SoundWire bus driver utilizes pm_runtime_resume_and_get().

Generated on May 11, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.