CVE-2023-53809

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2023-53809
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-53809.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-53809
Downstream
Published
2025-12-09T00:01:07.120Z
Modified
2025-12-09T03:29:34.975796Z
Summary
l2tp: Avoid possible recursive deadlock in l2tp_tunnel_register()
Details

In the Linux kernel, the following vulnerability has been resolved:

l2tp: Avoid possible recursive deadlock in l2tptunnelregister()

When a file descriptor of pppol2tp socket is passed as file descriptor of UDP socket, a recursive deadlock occurs in l2tptunnelregister(). This situation is reproduced by the following program:

int main(void) { int sock; struct sockaddr_pppol2tp addr;

sock = socket(AF_PPPOX, SOCK_DGRAM, PX_PROTO_OL2TP);
if (sock < 0) {
    perror("socket");
    return 1;
}

addr.sa_family = AF_PPPOX;
addr.sa_protocol = PX_PROTO_OL2TP;
addr.pppol2tp.pid = 0;
addr.pppol2tp.fd = sock;
addr.pppol2tp.addr.sin_family = PF_INET;
addr.pppol2tp.addr.sin_port = htons(0);
addr.pppol2tp.addr.sin_addr.s_addr = inet_addr("192.168.0.1");
addr.pppol2tp.s_tunnel = 1;
addr.pppol2tp.s_session = 0;
addr.pppol2tp.d_tunnel = 0;
addr.pppol2tp.d_session = 0;

if (connect(sock, (const struct sockaddr *)&addr, sizeof(addr)) < 0) {
    perror("connect");
    return 1;
}

return 0;

}

This program causes the following lockdep warning:

============================================ WARNING: possible recursive locking detected 6.2.0-rc5-00205-gc96618275234 #56 Not tainted

repro/8607 is trying to acquire lock: ffff8880213c8130 (sklock-AFPPPOX){+.+.}-{0:0}, at: l2tptunnelregister+0x2b7/0x11c0

but task is already holding lock: ffff8880213c8130 (sklock-AFPPPOX){+.+.}-{0:0}, at: pppol2tp_connect+0xa82/0x1a30

other info that might help us debug this: Possible unsafe locking scenario:

    CPU0
    ----

lock(sklock-AFPPPOX); lock(sklock-AFPPPOX);

*** DEADLOCK ***

May be due to missing lock nesting notation

1 lock held by repro/8607: #0: ffff8880213c8130 (sklock-AFPPPOX){+.+.}-{0:0}, at: pppol2tp_connect+0xa82/0x1a30

stack backtrace: CPU: 0 PID: 8607 Comm: repro Not tainted 6.2.0-rc5-00205-gc96618275234 #56 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 Call Trace: <TASK> dumpstacklvl+0x100/0x178 __lockacquire.cold+0x119/0x3b9 ? lockdephardirqsonprepare+0x410/0x410 lockacquire+0x1e0/0x610 ? l2tptunnelregister+0x2b7/0x11c0 ? lockdowngrade+0x710/0x710 ? __fgetfiles+0x283/0x3e0 locksocknested+0x3a/0xf0 ? l2tptunnelregister+0x2b7/0x11c0 l2tptunnelregister+0x2b7/0x11c0 ? sprintf+0xc4/0x100 ? l2tptunneldelwork+0x6b0/0x6b0 ? debugobjectdeactivate+0x320/0x320 ? lockdepinitmaptype+0x16d/0x7a0 ? lockdepinitmaptype+0x16d/0x7a0 ? l2tptunnelcreate+0x2bf/0x4b0 ? l2tptunnelcreate+0x3c6/0x4b0 pppol2tpconnect+0x14e1/0x1a30 ? pppol2tpputsk+0xd0/0xd0 ? aaskperm+0x2b7/0xa80 ? aaafperm+0x260/0x260 ? bpflsmsocketconnect+0x9/0x10 ? pppol2tpputsk+0xd0/0xd0 __sysconnectfile+0x14f/0x190 __sys_connect+0x133/0x160 ? __sysconnectfile+0x190/0x190 ? lockdephardirqson+0x7d/0x100 ? ktimegetcoarserealts64+0x1b7/0x200 ? ktimegetcoarserealts64+0x147/0x200 ? __auditsyscallentry+0x396/0x500 __x64sysconnect+0x72/0xb0 dosyscall64+0x38/0xb0 entrySYSCALL64afterhwframe+0x63/0xcd

This patch fixes the issue by getting/creating the tunnel before locking the pppol2tp socket.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53809.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
2d77e5c0ad79004b5ef901895437e9cce6dfcc7e
Fixed
4a413d360959962995e16a899cf2b9ef53e9fcb9
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
77e8ed776cdb1a24b2aab8fe7c6f1f154235e1ce
Fixed
f6df58aa15f7d469f69b1dd21b001ff483255244
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
cef0845b6dcfa2f6c2c832e7f9622551456c741d
Fixed
4bb736b40475528ac1aa8c98b368563618488a70
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
0b2c59720e65885a394a017d0cf9cab118914682
Fixed
5370647dd745bb3d8f37057006be207ddd8e9314
Fixed
9ca5e7ecab064f1f47da07f7c1ddf40e4bc0e5ac

Affected versions

v5.*
v5.10.166
v5.10.167
v5.10.168
v5.10.169
v5.10.170
v5.10.171
v5.10.172
v5.15.91
v5.15.92
v5.15.93
v5.15.94
v5.15.95
v5.15.96
v5.15.97
v5.15.98
v6.*
v6.1.10
v6.1.11
v6.1.12
v6.1.13
v6.1.14
v6.1.15
v6.1.9
v6.2
v6.2-rc4
v6.2-rc5
v6.2-rc6
v6.2-rc7
v6.2-rc8
v6.2.1
v6.2.2

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-53809.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.173
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.99
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.16
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.2.3

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-53809.json"