DEBIAN-CVE-2023-53855

In the Linux kernel, the following vulnerability has been resolved: net: dsa: ocelot: call dsatag8021qunregister() under rtnllock() on driver remove When the tagging protocol in current use is "ocelot-8021q" and we unbind the driver, we see this splat: $ echo '0000:00:00.2' > /sys/bus/pci/drivers/fslenetc/unbind msccfelix 0000:00:00.5 swp0: left promiscuous mode sja1105 spi2.0: Link is Down DSA: tree 1 torn down msccfelix 0000:00:00.5 swp2: left promiscuous mode sja1105 spi2.2: Link is Down DSA: tree 3 torn down fslenetc 0000:00:00.2 eno2: left promiscuous mode msccfelix 0000:00:00.5: Link is Down ------------[ cut here ]------------ RTNL: assertion failed at net/dsa/tag8021q.c (409) WARNING: CPU: 1 PID: 329 at net/dsa/tag8021q.c:409 dsatag8021qunregister+0x12c/0x1a0 Modules linked in: CPU: 1 PID: 329 Comm: bash Not tainted 6.5.0-rc3+ #771 pc : dsatag8021qunregister+0x12c/0x1a0 lr : dsatag8021qunregister+0x12c/0x1a0 Call trace: dsatag8021qunregister+0x12c/0x1a0 felixtag8021qteardown+0x130/0x150 felixteardown+0x3c/0xd8 dsatreeteardownswitches+0xbc/0xe0 dsaunregisterswitch+0x168/0x260 felixpciremove+0x30/0x60 pcideviceremove+0x4c/0x100 devicereleasedriverinternal+0x188/0x288 devicelinksunbindconsumers+0xfc/0x138 devicereleasedriverinternal+0xe0/0x288 devicedriverdetach+0x24/0x38 unbindstore+0xd8/0x108 drvattrstore+0x30/0x50 ---[ end trace 0000000000000000 ]--- ------------[ cut here ]------------ RTNL: assertion failed at net/8021q/vlancore.c (376) WARNING: CPU: 1 PID: 329 at net/8021q/vlancore.c:376 vlanviddel+0x1b8/0x1f0 CPU: 1 PID: 329 Comm: bash Tainted: G W 6.5.0-rc3+ #771 pc : vlanviddel+0x1b8/0x1f0 lr : vlanviddel+0x1b8/0x1f0 dsatag8021qunregister+0x8c/0x1a0 felixtag8021qteardown+0x130/0x150 felixteardown+0x3c/0xd8 dsatreeteardownswitches+0xbc/0xe0 dsaunregisterswitch+0x168/0x260 felixpciremove+0x30/0x60 pcideviceremove+0x4c/0x100 devicereleasedriverinternal+0x188/0x288 devicelinksunbindconsumers+0xfc/0x138 devicereleasedriverinternal+0xe0/0x288 devicedriverdetach+0x24/0x38 unbindstore+0xd8/0x108 drvattrstore+0x30/0x50 DSA: tree 0 torn down This was somewhat not so easy to spot, because "ocelot-8021q" is not the default tagging protocol, and thus, not everyone who tests the unbinding path may have switched to it beforehand. The default felixtagnpiteardown() does not require rtnllock() to be held.