CVE-2023-53287
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-16

Last updated on: 2025-12-03

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: usb: cdns3: Put the cdns set active part outside the spin lock The device may be scheduled during the resume process, so this cannot appear in atomic operations. Since pm_runtime_set_active will resume suppliers, put set active outside the spin lock, which is only used to protect the struct cdns data structure, otherwise the kernel will report the following warning: BUG: sleeping function called from invalid context at drivers/base/power/runtime.c:1163 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 651, name: sh preempt_count: 1, expected: 0 RCU nest depth: 0, expected: 0 CPU: 0 PID: 651 Comm: sh Tainted: G WC 6.1.20 #1 Hardware name: Freescale i.MX8QM MEK (DT) Call trace: dump_backtrace.part.0+0xe0/0xf0 show_stack+0x18/0x30 dump_stack_lvl+0x64/0x80 dump_stack+0x1c/0x38 __might_resched+0x1fc/0x240 __might_sleep+0x68/0xc0 __pm_runtime_resume+0x9c/0xe0 rpm_get_suppliers+0x68/0x1b0 __pm_runtime_set_status+0x298/0x560 cdns_resume+0xb0/0x1c0 cdns3_controller_resume.isra.0+0x1e0/0x250 cdns3_plat_resume+0x28/0x40
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-16
Last Modified
2025-12-03
Generated
2026-05-07
AI Q&A
2025-09-16
EPSS Evaluated
2026-05-05
NVD
CVE-2023-53287
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 5.4 (inc) to 5.15.133 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.55 (exc)
linux linux_kernel From 6.2 (inc) to 6.5.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-NVD-CWE-noinfo
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in the Linux kernel's usb: cdns3 driver involves improper handling of the 'set active' operation inside a spin lock during the resume process. The device may be scheduled during resume, which cannot occur in atomic operations like those protected by spin locks. The fix moves the 'set active' call outside the spin lock to prevent the kernel from reporting a warning about a sleeping function being called from an invalid context.


How can this vulnerability impact me? :

The vulnerability can cause the Linux kernel to report warnings and potentially unstable behavior during device resume operations, specifically related to power management. This could lead to system instability or unexpected behavior when resuming USB devices using the cdns3 driver.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring the kernel logs for the specific warning message: 'BUG: sleeping function called from invalid context at drivers/base/power/runtime.c:1163'. You can use commands like 'dmesg | grep "BUG: sleeping function called from invalid context"' or 'journalctl -k | grep "BUG: sleeping function called from invalid context"' to identify if the issue is occurring on your system.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, update the Linux kernel to a version where the issue is resolved, specifically where the cdns set active part is moved outside the spin lock in the usb: cdns3 driver. This prevents the kernel from calling sleeping functions in atomic context and avoids the reported BUG warning.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart