CVE-2023-54149 (GCVE-0-2023-54149)
Vulnerability from cvelistv5
Published
2025-12-24 13:07
Modified
2025-12-24 13:07
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: dsa: avoid suspicious RCU usage for synced VLAN-aware MAC addresses
When using the felix driver (the only one which supports UC filtering
and MC filtering) as a DSA master for a random other DSA switch, one can
see the following stack trace when the downstream switch ports join a
VLAN-aware bridge:
=============================
WARNING: suspicious RCU usage
-----------------------------
net/8021q/vlan_core.c:238 suspicious rcu_dereference_protected() usage!
stack backtrace:
Workqueue: dsa_ordered dsa_slave_switchdev_event_work
Call trace:
lockdep_rcu_suspicious+0x170/0x210
vlan_for_each+0x8c/0x188
dsa_slave_sync_uc+0x128/0x178
__hw_addr_sync_dev+0x138/0x158
dsa_slave_set_rx_mode+0x58/0x70
__dev_set_rx_mode+0x88/0xa8
dev_uc_add+0x74/0xa0
dsa_port_bridge_host_fdb_add+0xec/0x180
dsa_slave_switchdev_event_work+0x7c/0x1c8
process_one_work+0x290/0x568
What it's saying is that vlan_for_each() expects rtnl_lock() context and
it's not getting it, when it's called from the DSA master's ndo_set_rx_mode().
The caller of that - dsa_slave_set_rx_mode() - is the slave DSA
interface's dsa_port_bridge_host_fdb_add() which comes from the deferred
dsa_slave_switchdev_event_work().
We went to great lengths to avoid the rtnl_lock() context in that call
path in commit 0faf890fc519 ("net: dsa: drop rtnl_lock from
dsa_slave_switchdev_event_work"), and calling rtnl_lock() is simply not
an option due to the possibility of deadlocking when calling
dsa_flush_workqueue() from the call paths that do hold rtnl_lock() -
basically all of them.
So, when the DSA master calls vlan_for_each() from its ndo_set_rx_mode(),
the state of the 8021q driver on this device is really not protected
from concurrent access by anything.
Looking at net/8021q/, I don't think that vlan_info->vid_list was
particularly designed with RCU traversal in mind, so introducing an RCU
read-side form of vlan_for_each() - vlan_for_each_rcu() - won't be so
easy, and it also wouldn't be exactly what we need anyway.
In general I believe that the solution isn't in net/8021q/ anyway;
vlan_for_each() is not cut out for this task. DSA doesn't need rtnl_lock()
to be held per se - since it's not a netdev state change that we're
blocking, but rather, just concurrent additions/removals to a VLAN list.
We don't even need sleepable context - the callback of vlan_for_each()
just schedules deferred work.
The proposed escape is to remove the dependency on vlan_for_each() and
to open-code a non-sleepable, rtnl-free alternative to that, based on
copies of the VLAN list modified from .ndo_vlan_rx_add_vid() and
.ndo_vlan_rx_kill_vid().
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/dsa.h",
"net/dsa/dsa.c",
"net/dsa/slave.c",
"net/dsa/switch.c",
"net/dsa/switch.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3948c69b3837fec2ee5a90fbc911c343199be0ac",
"status": "affected",
"version": "64fdc5f341db01200e33105265d4b8450122a82e",
"versionType": "git"
},
{
"lessThan": "3f9e79f31e51b7d5bf95c617540deb6cf2816a3f",
"status": "affected",
"version": "64fdc5f341db01200e33105265d4b8450122a82e",
"versionType": "git"
},
{
"lessThan": "d06f925f13976ab82167c93467c70a337a0a3cda",
"status": "affected",
"version": "64fdc5f341db01200e33105265d4b8450122a82e",
"versionType": "git"
},
{
"status": "affected",
"version": "2daf967a24334865e51520e55190a646dd480cd7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/dsa.h",
"net/dsa/dsa.c",
"net/dsa/slave.c",
"net/dsa/switch.c",
"net/dsa/switch.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.2.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: avoid suspicious RCU usage for synced VLAN-aware MAC addresses\n\nWhen using the felix driver (the only one which supports UC filtering\nand MC filtering) as a DSA master for a random other DSA switch, one can\nsee the following stack trace when the downstream switch ports join a\nVLAN-aware bridge:\n\n=============================\nWARNING: suspicious RCU usage\n-----------------------------\nnet/8021q/vlan_core.c:238 suspicious rcu_dereference_protected() usage!\n\nstack backtrace:\nWorkqueue: dsa_ordered dsa_slave_switchdev_event_work\nCall trace:\n lockdep_rcu_suspicious+0x170/0x210\n vlan_for_each+0x8c/0x188\n dsa_slave_sync_uc+0x128/0x178\n __hw_addr_sync_dev+0x138/0x158\n dsa_slave_set_rx_mode+0x58/0x70\n __dev_set_rx_mode+0x88/0xa8\n dev_uc_add+0x74/0xa0\n dsa_port_bridge_host_fdb_add+0xec/0x180\n dsa_slave_switchdev_event_work+0x7c/0x1c8\n process_one_work+0x290/0x568\n\nWhat it\u0027s saying is that vlan_for_each() expects rtnl_lock() context and\nit\u0027s not getting it, when it\u0027s called from the DSA master\u0027s ndo_set_rx_mode().\n\nThe caller of that - dsa_slave_set_rx_mode() - is the slave DSA\ninterface\u0027s dsa_port_bridge_host_fdb_add() which comes from the deferred\ndsa_slave_switchdev_event_work().\n\nWe went to great lengths to avoid the rtnl_lock() context in that call\npath in commit 0faf890fc519 (\"net: dsa: drop rtnl_lock from\ndsa_slave_switchdev_event_work\"), and calling rtnl_lock() is simply not\nan option due to the possibility of deadlocking when calling\ndsa_flush_workqueue() from the call paths that do hold rtnl_lock() -\nbasically all of them.\n\nSo, when the DSA master calls vlan_for_each() from its ndo_set_rx_mode(),\nthe state of the 8021q driver on this device is really not protected\nfrom concurrent access by anything.\n\nLooking at net/8021q/, I don\u0027t think that vlan_info-\u003evid_list was\nparticularly designed with RCU traversal in mind, so introducing an RCU\nread-side form of vlan_for_each() - vlan_for_each_rcu() - won\u0027t be so\neasy, and it also wouldn\u0027t be exactly what we need anyway.\n\nIn general I believe that the solution isn\u0027t in net/8021q/ anyway;\nvlan_for_each() is not cut out for this task. DSA doesn\u0027t need rtnl_lock()\nto be held per se - since it\u0027s not a netdev state change that we\u0027re\nblocking, but rather, just concurrent additions/removals to a VLAN list.\nWe don\u0027t even need sleepable context - the callback of vlan_for_each()\njust schedules deferred work.\n\nThe proposed escape is to remove the dependency on vlan_for_each() and\nto open-code a non-sleepable, rtnl-free alternative to that, based on\ncopies of the VLAN list modified from .ndo_vlan_rx_add_vid() and\n.ndo_vlan_rx_kill_vid()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:07:00.977Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3948c69b3837fec2ee5a90fbc911c343199be0ac"
},
{
"url": "https://git.kernel.org/stable/c/3f9e79f31e51b7d5bf95c617540deb6cf2816a3f"
},
{
"url": "https://git.kernel.org/stable/c/d06f925f13976ab82167c93467c70a337a0a3cda"
}
],
"title": "net: dsa: avoid suspicious RCU usage for synced VLAN-aware MAC addresses",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54149",
"datePublished": "2025-12-24T13:07:00.977Z",
"dateReserved": "2025-12-24T13:02:52.528Z",
"dateUpdated": "2025-12-24T13:07:00.977Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2023-54149\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-24T13:16:16.910\",\"lastModified\":\"2025-12-24T13:16:16.910\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: dsa: avoid suspicious RCU usage for synced VLAN-aware MAC addresses\\n\\nWhen using the felix driver (the only one which supports UC filtering\\nand MC filtering) as a DSA master for a random other DSA switch, one can\\nsee the following stack trace when the downstream switch ports join a\\nVLAN-aware bridge:\\n\\n=============================\\nWARNING: suspicious RCU usage\\n-----------------------------\\nnet/8021q/vlan_core.c:238 suspicious rcu_dereference_protected() usage!\\n\\nstack backtrace:\\nWorkqueue: dsa_ordered dsa_slave_switchdev_event_work\\nCall trace:\\n lockdep_rcu_suspicious+0x170/0x210\\n vlan_for_each+0x8c/0x188\\n dsa_slave_sync_uc+0x128/0x178\\n __hw_addr_sync_dev+0x138/0x158\\n dsa_slave_set_rx_mode+0x58/0x70\\n __dev_set_rx_mode+0x88/0xa8\\n dev_uc_add+0x74/0xa0\\n dsa_port_bridge_host_fdb_add+0xec/0x180\\n dsa_slave_switchdev_event_work+0x7c/0x1c8\\n process_one_work+0x290/0x568\\n\\nWhat it\u0027s saying is that vlan_for_each() expects rtnl_lock() context and\\nit\u0027s not getting it, when it\u0027s called from the DSA master\u0027s ndo_set_rx_mode().\\n\\nThe caller of that - dsa_slave_set_rx_mode() - is the slave DSA\\ninterface\u0027s dsa_port_bridge_host_fdb_add() which comes from the deferred\\ndsa_slave_switchdev_event_work().\\n\\nWe went to great lengths to avoid the rtnl_lock() context in that call\\npath in commit 0faf890fc519 (\\\"net: dsa: drop rtnl_lock from\\ndsa_slave_switchdev_event_work\\\"), and calling rtnl_lock() is simply not\\nan option due to the possibility of deadlocking when calling\\ndsa_flush_workqueue() from the call paths that do hold rtnl_lock() -\\nbasically all of them.\\n\\nSo, when the DSA master calls vlan_for_each() from its ndo_set_rx_mode(),\\nthe state of the 8021q driver on this device is really not protected\\nfrom concurrent access by anything.\\n\\nLooking at net/8021q/, I don\u0027t think that vlan_info-\u003evid_list was\\nparticularly designed with RCU traversal in mind, so introducing an RCU\\nread-side form of vlan_for_each() - vlan_for_each_rcu() - won\u0027t be so\\neasy, and it also wouldn\u0027t be exactly what we need anyway.\\n\\nIn general I believe that the solution isn\u0027t in net/8021q/ anyway;\\nvlan_for_each() is not cut out for this task. DSA doesn\u0027t need rtnl_lock()\\nto be held per se - since it\u0027s not a netdev state change that we\u0027re\\nblocking, but rather, just concurrent additions/removals to a VLAN list.\\nWe don\u0027t even need sleepable context - the callback of vlan_for_each()\\njust schedules deferred work.\\n\\nThe proposed escape is to remove the dependency on vlan_for_each() and\\nto open-code a non-sleepable, rtnl-free alternative to that, based on\\ncopies of the VLAN list modified from .ndo_vlan_rx_add_vid() and\\n.ndo_vlan_rx_kill_vid().\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/3948c69b3837fec2ee5a90fbc911c343199be0ac\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/3f9e79f31e51b7d5bf95c617540deb6cf2816a3f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d06f925f13976ab82167c93467c70a337a0a3cda\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…