CVE-2023-53591 (GCVE-0-2023-53591)
Vulnerability from cvelistv5
Published
2025-10-04 15:44
Modified
2025-10-04 15:44
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix deadlock in tc route query code Cited commit causes ABBA deadlock[0] when peer flows are created while holding the devcom rw semaphore. Due to peer flows offload implementation the lock is taken much higher up the call chain and there is no obvious way to easily fix the deadlock. Instead, since tc route query code needs the peer eswitch structure only to perform a lookup in xarray and doesn't perform any sleeping operations with it, refactor the code for lockless execution in following ways: - RCUify the devcom 'data' pointer. When resetting the pointer synchronously wait for RCU grace period before returning. This is fine since devcom is currently only used for synchronization of pairing/unpairing of eswitches which is rare and already expensive as-is. - Wrap all usages of 'paired' boolean in {READ|WRITE}_ONCE(). The flag has already been used in some unlocked contexts without proper annotations (e.g. users of mlx5_devcom_is_paired() function), but it wasn't an issue since all relevant code paths checked it again after obtaining the devcom semaphore. Now it is also used by mlx5_devcom_get_peer_data_rcu() as "best effort" check to return NULL when devcom is being unpaired. Note that while RCU read lock doesn't prevent the unpaired flag from being changed concurrently it still guarantees that reader can continue to use 'data'. - Refactor mlx5e_tc_query_route_vport() function to use new mlx5_devcom_get_peer_data_rcu() API which fixes the deadlock. [0]: [ 164.599612] ====================================================== [ 164.600142] WARNING: possible circular locking dependency detected [ 164.600667] 6.3.0-rc3+ #1 Not tainted [ 164.601021] ------------------------------------------------------ [ 164.601557] handler1/3456 is trying to acquire lock: [ 164.601998] ffff88811f1714b0 (&esw->offloads.encap_tbl_lock){+.+.}-{3:3}, at: mlx5e_attach_encap+0xd8/0x8b0 [mlx5_core] [ 164.603078] but task is already holding lock: [ 164.603617] ffff88810137fc98 (&comp->sem){++++}-{3:3}, at: mlx5_devcom_get_peer_data+0x37/0x80 [mlx5_core] [ 164.604459] which lock already depends on the new lock. [ 164.605190] the existing dependency chain (in reverse order) is: [ 164.605848] -> #1 (&comp->sem){++++}-{3:3}: [ 164.606380] down_read+0x39/0x50 [ 164.606772] mlx5_devcom_get_peer_data+0x37/0x80 [mlx5_core] [ 164.607336] mlx5e_tc_query_route_vport+0x86/0xc0 [mlx5_core] [ 164.607914] mlx5e_tc_tun_route_lookup+0x1a4/0x1d0 [mlx5_core] [ 164.608495] mlx5e_attach_decap_route+0xc6/0x1e0 [mlx5_core] [ 164.609063] mlx5e_tc_add_fdb_flow+0x1ea/0x360 [mlx5_core] [ 164.609627] __mlx5e_add_fdb_flow+0x2d2/0x430 [mlx5_core] [ 164.610175] mlx5e_configure_flower+0x952/0x1a20 [mlx5_core] [ 164.610741] tc_setup_cb_add+0xd4/0x200 [ 164.611146] fl_hw_replace_filter+0x14c/0x1f0 [cls_flower] [ 164.611661] fl_change+0xc95/0x18a0 [cls_flower] [ 164.612116] tc_new_tfilter+0x3fc/0xd20 [ 164.612516] rtnetlink_rcv_msg+0x418/0x5b0 [ 164.612936] netlink_rcv_skb+0x54/0x100 [ 164.613339] netlink_unicast+0x190/0x250 [ 164.613746] netlink_sendmsg+0x245/0x4a0 [ 164.614150] sock_sendmsg+0x38/0x60 [ 164.614522] ____sys_sendmsg+0x1d0/0x1e0 [ 164.614934] ___sys_sendmsg+0x80/0xc0 [ 164.615320] __sys_sendmsg+0x51/0x90 [ 164.615701] do_syscall_64+0x3d/0x90 [ 164.616083] entry_SYSCALL_64_after_hwframe+0x46/0xb0 [ 164.616568] -> #0 (&esw->offloads.encap_tbl_lock){+.+.}-{3:3}: [ 164.617210] __lock_acquire+0x159e/0x26e0 [ 164.617638] lock_acquire+0xc2/0x2a0 [ 164.618018] __mutex_lock+0x92/0xcd0 [ 164.618401] mlx5e_attach_encap+0xd8/0x8b0 [mlx5_core] [ 164.618943] post_process_attr+0x153/0x2d0 [ ---truncated---
References
Impacted products
Vendor Product Version
Linux Linux Version: f9d196bd632b8b79261ec3366c30ec3923ea9a02
Version: f9d196bd632b8b79261ec3366c30ec3923ea9a02
Version: f9d196bd632b8b79261ec3366c30ec3923ea9a02
Version: f9d196bd632b8b79261ec3366c30ec3923ea9a02
Version: 87a0625cf1c76caeaa15c576a0b2fcad4b9387d0
Version: 7778fe1a6a6c069a460e4e3ff8ed3722392a4b5b
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/mellanox/mlx5/core/en_tc.c",
            "drivers/net/ethernet/mellanox/mlx5/core/lib/devcom.c",
            "drivers/net/ethernet/mellanox/mlx5/core/lib/devcom.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "69966bce28da6aadccfd968b75d128a79da32d17",
              "status": "affected",
              "version": "f9d196bd632b8b79261ec3366c30ec3923ea9a02",
              "versionType": "git"
            },
            {
              "lessThan": "362063df6ceec80b0b6798b61ae03504dcc125a5",
              "status": "affected",
              "version": "f9d196bd632b8b79261ec3366c30ec3923ea9a02",
              "versionType": "git"
            },
            {
              "lessThan": "a7236e420a7d8082b1df4b3e05c739dd2642a662",
              "status": "affected",
              "version": "f9d196bd632b8b79261ec3366c30ec3923ea9a02",
              "versionType": "git"
            },
            {
              "lessThan": "691c041bf20899fc13c793f92ba61ab660fa3a30",
              "status": "affected",
              "version": "f9d196bd632b8b79261ec3366c30ec3923ea9a02",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "87a0625cf1c76caeaa15c576a0b2fcad4b9387d0",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "7778fe1a6a6c069a460e4e3ff8ed3722392a4b5b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/mellanox/mlx5/core/en_tc.c",
            "drivers/net/ethernet/mellanox/mlx5/core/lib/devcom.c",
            "drivers/net/ethernet/mellanox/mlx5/core/lib/devcom.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.15"
            },
            {
              "lessThan": "5.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.115",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.31",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.3.*",
              "status": "unaffected",
              "version": "6.3.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.4",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.115",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.31",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.3.5",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.4",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.13.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.14.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix deadlock in tc route query code\n\nCited commit causes ABBA deadlock[0] when peer flows are created while\nholding the devcom rw semaphore. Due to peer flows offload implementation\nthe lock is taken much higher up the call chain and there is no obvious way\nto easily fix the deadlock. Instead, since tc route query code needs the\npeer eswitch structure only to perform a lookup in xarray and doesn\u0027t\nperform any sleeping operations with it, refactor the code for lockless\nexecution in following ways:\n\n- RCUify the devcom \u0027data\u0027 pointer. When resetting the pointer\nsynchronously wait for RCU grace period before returning. This is fine\nsince devcom is currently only used for synchronization of\npairing/unpairing of eswitches which is rare and already expensive as-is.\n\n- Wrap all usages of \u0027paired\u0027 boolean in {READ|WRITE}_ONCE(). The flag has\nalready been used in some unlocked contexts without proper\nannotations (e.g. users of mlx5_devcom_is_paired() function), but it wasn\u0027t\nan issue since all relevant code paths checked it again after obtaining the\ndevcom semaphore. Now it is also used by mlx5_devcom_get_peer_data_rcu() as\n\"best effort\" check to return NULL when devcom is being unpaired. Note that\nwhile RCU read lock doesn\u0027t prevent the unpaired flag from being changed\nconcurrently it still guarantees that reader can continue to use \u0027data\u0027.\n\n- Refactor mlx5e_tc_query_route_vport() function to use new\nmlx5_devcom_get_peer_data_rcu() API which fixes the deadlock.\n\n[0]:\n\n[  164.599612] ======================================================\n[  164.600142] WARNING: possible circular locking dependency detected\n[  164.600667] 6.3.0-rc3+ #1 Not tainted\n[  164.601021] ------------------------------------------------------\n[  164.601557] handler1/3456 is trying to acquire lock:\n[  164.601998] ffff88811f1714b0 (\u0026esw-\u003eoffloads.encap_tbl_lock){+.+.}-{3:3}, at: mlx5e_attach_encap+0xd8/0x8b0 [mlx5_core]\n[  164.603078]\n               but task is already holding lock:\n[  164.603617] ffff88810137fc98 (\u0026comp-\u003esem){++++}-{3:3}, at: mlx5_devcom_get_peer_data+0x37/0x80 [mlx5_core]\n[  164.604459]\n               which lock already depends on the new lock.\n\n[  164.605190]\n               the existing dependency chain (in reverse order) is:\n[  164.605848]\n               -\u003e #1 (\u0026comp-\u003esem){++++}-{3:3}:\n[  164.606380]        down_read+0x39/0x50\n[  164.606772]        mlx5_devcom_get_peer_data+0x37/0x80 [mlx5_core]\n[  164.607336]        mlx5e_tc_query_route_vport+0x86/0xc0 [mlx5_core]\n[  164.607914]        mlx5e_tc_tun_route_lookup+0x1a4/0x1d0 [mlx5_core]\n[  164.608495]        mlx5e_attach_decap_route+0xc6/0x1e0 [mlx5_core]\n[  164.609063]        mlx5e_tc_add_fdb_flow+0x1ea/0x360 [mlx5_core]\n[  164.609627]        __mlx5e_add_fdb_flow+0x2d2/0x430 [mlx5_core]\n[  164.610175]        mlx5e_configure_flower+0x952/0x1a20 [mlx5_core]\n[  164.610741]        tc_setup_cb_add+0xd4/0x200\n[  164.611146]        fl_hw_replace_filter+0x14c/0x1f0 [cls_flower]\n[  164.611661]        fl_change+0xc95/0x18a0 [cls_flower]\n[  164.612116]        tc_new_tfilter+0x3fc/0xd20\n[  164.612516]        rtnetlink_rcv_msg+0x418/0x5b0\n[  164.612936]        netlink_rcv_skb+0x54/0x100\n[  164.613339]        netlink_unicast+0x190/0x250\n[  164.613746]        netlink_sendmsg+0x245/0x4a0\n[  164.614150]        sock_sendmsg+0x38/0x60\n[  164.614522]        ____sys_sendmsg+0x1d0/0x1e0\n[  164.614934]        ___sys_sendmsg+0x80/0xc0\n[  164.615320]        __sys_sendmsg+0x51/0x90\n[  164.615701]        do_syscall_64+0x3d/0x90\n[  164.616083]        entry_SYSCALL_64_after_hwframe+0x46/0xb0\n[  164.616568]\n               -\u003e #0 (\u0026esw-\u003eoffloads.encap_tbl_lock){+.+.}-{3:3}:\n[  164.617210]        __lock_acquire+0x159e/0x26e0\n[  164.617638]        lock_acquire+0xc2/0x2a0\n[  164.618018]        __mutex_lock+0x92/0xcd0\n[  164.618401]        mlx5e_attach_encap+0xd8/0x8b0 [mlx5_core]\n[  164.618943]        post_process_attr+0x153/0x2d0 [\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-04T15:44:05.430Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/69966bce28da6aadccfd968b75d128a79da32d17"
        },
        {
          "url": "https://git.kernel.org/stable/c/362063df6ceec80b0b6798b61ae03504dcc125a5"
        },
        {
          "url": "https://git.kernel.org/stable/c/a7236e420a7d8082b1df4b3e05c739dd2642a662"
        },
        {
          "url": "https://git.kernel.org/stable/c/691c041bf20899fc13c793f92ba61ab660fa3a30"
        }
      ],
      "title": "net/mlx5e: Fix deadlock in tc route query code",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-53591",
    "datePublished": "2025-10-04T15:44:05.430Z",
    "dateReserved": "2025-10-04T15:40:38.478Z",
    "dateUpdated": "2025-10-04T15:44:05.430Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-53591\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-10-04T16:15:55.550\",\"lastModified\":\"2025-10-06T14:56:21.733\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/mlx5e: Fix deadlock in tc route query code\\n\\nCited commit causes ABBA deadlock[0] when peer flows are created while\\nholding the devcom rw semaphore. Due to peer flows offload implementation\\nthe lock is taken much higher up the call chain and there is no obvious way\\nto easily fix the deadlock. Instead, since tc route query code needs the\\npeer eswitch structure only to perform a lookup in xarray and doesn\u0027t\\nperform any sleeping operations with it, refactor the code for lockless\\nexecution in following ways:\\n\\n- RCUify the devcom \u0027data\u0027 pointer. When resetting the pointer\\nsynchronously wait for RCU grace period before returning. This is fine\\nsince devcom is currently only used for synchronization of\\npairing/unpairing of eswitches which is rare and already expensive as-is.\\n\\n- Wrap all usages of \u0027paired\u0027 boolean in {READ|WRITE}_ONCE(). The flag has\\nalready been used in some unlocked contexts without proper\\nannotations (e.g. users of mlx5_devcom_is_paired() function), but it wasn\u0027t\\nan issue since all relevant code paths checked it again after obtaining the\\ndevcom semaphore. Now it is also used by mlx5_devcom_get_peer_data_rcu() as\\n\\\"best effort\\\" check to return NULL when devcom is being unpaired. Note that\\nwhile RCU read lock doesn\u0027t prevent the unpaired flag from being changed\\nconcurrently it still guarantees that reader can continue to use \u0027data\u0027.\\n\\n- Refactor mlx5e_tc_query_route_vport() function to use new\\nmlx5_devcom_get_peer_data_rcu() API which fixes the deadlock.\\n\\n[0]:\\n\\n[  164.599612] ======================================================\\n[  164.600142] WARNING: possible circular locking dependency detected\\n[  164.600667] 6.3.0-rc3+ #1 Not tainted\\n[  164.601021] ------------------------------------------------------\\n[  164.601557] handler1/3456 is trying to acquire lock:\\n[  164.601998] ffff88811f1714b0 (\u0026esw-\u003eoffloads.encap_tbl_lock){+.+.}-{3:3}, at: mlx5e_attach_encap+0xd8/0x8b0 [mlx5_core]\\n[  164.603078]\\n               but task is already holding lock:\\n[  164.603617] ffff88810137fc98 (\u0026comp-\u003esem){++++}-{3:3}, at: mlx5_devcom_get_peer_data+0x37/0x80 [mlx5_core]\\n[  164.604459]\\n               which lock already depends on the new lock.\\n\\n[  164.605190]\\n               the existing dependency chain (in reverse order) is:\\n[  164.605848]\\n               -\u003e #1 (\u0026comp-\u003esem){++++}-{3:3}:\\n[  164.606380]        down_read+0x39/0x50\\n[  164.606772]        mlx5_devcom_get_peer_data+0x37/0x80 [mlx5_core]\\n[  164.607336]        mlx5e_tc_query_route_vport+0x86/0xc0 [mlx5_core]\\n[  164.607914]        mlx5e_tc_tun_route_lookup+0x1a4/0x1d0 [mlx5_core]\\n[  164.608495]        mlx5e_attach_decap_route+0xc6/0x1e0 [mlx5_core]\\n[  164.609063]        mlx5e_tc_add_fdb_flow+0x1ea/0x360 [mlx5_core]\\n[  164.609627]        __mlx5e_add_fdb_flow+0x2d2/0x430 [mlx5_core]\\n[  164.610175]        mlx5e_configure_flower+0x952/0x1a20 [mlx5_core]\\n[  164.610741]        tc_setup_cb_add+0xd4/0x200\\n[  164.611146]        fl_hw_replace_filter+0x14c/0x1f0 [cls_flower]\\n[  164.611661]        fl_change+0xc95/0x18a0 [cls_flower]\\n[  164.612116]        tc_new_tfilter+0x3fc/0xd20\\n[  164.612516]        rtnetlink_rcv_msg+0x418/0x5b0\\n[  164.612936]        netlink_rcv_skb+0x54/0x100\\n[  164.613339]        netlink_unicast+0x190/0x250\\n[  164.613746]        netlink_sendmsg+0x245/0x4a0\\n[  164.614150]        sock_sendmsg+0x38/0x60\\n[  164.614522]        ____sys_sendmsg+0x1d0/0x1e0\\n[  164.614934]        ___sys_sendmsg+0x80/0xc0\\n[  164.615320]        __sys_sendmsg+0x51/0x90\\n[  164.615701]        do_syscall_64+0x3d/0x90\\n[  164.616083]        entry_SYSCALL_64_after_hwframe+0x46/0xb0\\n[  164.616568]\\n               -\u003e #0 (\u0026esw-\u003eoffloads.encap_tbl_lock){+.+.}-{3:3}:\\n[  164.617210]        __lock_acquire+0x159e/0x26e0\\n[  164.617638]        lock_acquire+0xc2/0x2a0\\n[  164.618018]        __mutex_lock+0x92/0xcd0\\n[  164.618401]        mlx5e_attach_encap+0xd8/0x8b0 [mlx5_core]\\n[  164.618943]        post_process_attr+0x153/0x2d0 [\\n---truncated---\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/362063df6ceec80b0b6798b61ae03504dcc125a5\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/691c041bf20899fc13c793f92ba61ab660fa3a30\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/69966bce28da6aadccfd968b75d128a79da32d17\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a7236e420a7d8082b1df4b3e05c739dd2642a662\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.