CVE-2023-53855
- Source
- https://cve.org/CVERecord?id=CVE-2023-53855
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-53855.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2023-53855
- Downstream
- Related
- Published
- 2025-12-09T01:30:20.864Z
- Modified
- 2026-03-23T05:04:28.098720292Z
- Summary
- net: dsa: ocelot: call dsa_tag_8021q_unregister() under rtnl_lock() on driver remove
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
net: dsa: ocelot: call dsatag8021qunregister() under rtnllock() on driver remove
When the tagging protocol in current use is "ocelot-8021q" and we unbind the driver, we see this splat:
$ echo '0000:00:00.2' > /sys/bus/pci/drivers/fslenetc/unbind msccfelix 0000:00:00.5 swp0: left promiscuous mode sja1105 spi2.0: Link is Down DSA: tree 1 torn down msccfelix 0000:00:00.5 swp2: left promiscuous mode sja1105 spi2.2: Link is Down DSA: tree 3 torn down fslenetc 0000:00:00.2 eno2: left promiscuous mode msccfelix 0000:00:00.5: Link is Down ------------[ cut here ]------------ RTNL: assertion failed at net/dsa/tag8021q.c (409) WARNING: CPU: 1 PID: 329 at net/dsa/tag8021q.c:409 dsatag8021qunregister+0x12c/0x1a0 Modules linked in: CPU: 1 PID: 329 Comm: bash Not tainted 6.5.0-rc3+ #771 pc : dsatag8021qunregister+0x12c/0x1a0 lr : dsatag8021qunregister+0x12c/0x1a0 Call trace: dsatag8021qunregister+0x12c/0x1a0 felixtag8021qteardown+0x130/0x150 felixteardown+0x3c/0xd8 dsatreeteardownswitches+0xbc/0xe0 dsaunregisterswitch+0x168/0x260 felixpciremove+0x30/0x60 pcideviceremove+0x4c/0x100 devicereleasedriverinternal+0x188/0x288 devicelinksunbindconsumers+0xfc/0x138 devicereleasedriverinternal+0xe0/0x288 devicedriverdetach+0x24/0x38 unbindstore+0xd8/0x108 drvattrstore+0x30/0x50 ---[ end trace 0000000000000000 ]--- ------------[ cut here ]------------ RTNL: assertion failed at net/8021q/vlancore.c (376) WARNING: CPU: 1 PID: 329 at net/8021q/vlancore.c:376 vlanviddel+0x1b8/0x1f0 CPU: 1 PID: 329 Comm: bash Tainted: G W 6.5.0-rc3+ #771 pc : vlanviddel+0x1b8/0x1f0 lr : vlanviddel+0x1b8/0x1f0 dsatag8021qunregister+0x8c/0x1a0 felixtag8021qteardown+0x130/0x150 felixteardown+0x3c/0xd8 dsatreeteardownswitches+0xbc/0xe0 dsaunregisterswitch+0x168/0x260 felixpciremove+0x30/0x60 pcideviceremove+0x4c/0x100 devicereleasedriverinternal+0x188/0x288 devicelinksunbindconsumers+0xfc/0x138 devicereleasedriverinternal+0xe0/0x288 devicedriverdetach+0x24/0x38 unbindstore+0xd8/0x108 drvattrstore+0x30/0x50 DSA: tree 0 torn down
This was somewhat not so easy to spot, because "ocelot-8021q" is not the default tagging protocol, and thus, not everyone who tests the unbinding path may have switched to it beforehand. The default felixtagnpiteardown() does not require rtnllock() to be held.
- Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53855.json" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/758dbcfb257e1aee0a310bae789c2af6ffe35d0f
- https://git.kernel.org/stable/c/7ae8fa6b70975b6efbbef7912d09bff5a0bff491
- https://git.kernel.org/stable/c/a94c16a2fda010866b8858a386a8bfbeba4f72c5
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53855.json
- https://nvd.nist.gov/vuln/detail/CVE-2023-53855
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced7c83a7c539abe9f980996063ac20532a7a7f6eb1Fixed758dbcfb257e1aee0a310bae789c2af6ffe35d0fFixed7ae8fa6b70975b6efbbef7912d09bff5a0bff491Fixeda94c16a2fda010866b8858a386a8bfbeba4f72c5