From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 31CCA3446C3 for ; Wed, 24 Dec 2025 13:11:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766581910; cv=none; b=sqvRlX3w1Q84ZFrEF6JX1CTXeF87Tn4VFKD4ydR4tc+DGezFW8/Qp1TQFHnwxSqWd30cV/1cUtiEH3U5IL3xTZ+TQ7yZVlQjXYOG/QY+QBanzlwW47N4x5talSV7F4obuIjkU07yqKXf/coAWUVrK4ICmBm0UL1E6WEgmHQ8v7Y= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766581910; c=relaxed/simple; bh=xFRfyjt9/HiDWymSpytZDppfnarlvPNFh0XM6HZusbI=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=RP3AgVw52wh+qHf2m1N1ylPcIXD+pBF6PQhnrd0zuMJRWHDn3m0y0RoWk8QEmI9mHSnOSUtFxj46q/flAm1gGQNYuVgc36UO+PaXJtx+4Rlqrp/8QrtI2jde/i2QnKTUopkcpWdXEcTSowAquO29czkY7aNdE1yl9D3uqlXyK9M= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=yov8bd1j; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="yov8bd1j" Received: by smtp.kernel.org (Postfix) with ESMTPSA id AE14FC4CEFB; Wed, 24 Dec 2025 13:11:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1766581910; bh=xFRfyjt9/HiDWymSpytZDppfnarlvPNFh0XM6HZusbI=; h=From:To:Cc:Subject:Date:Reply-To:From; b=yov8bd1jLA42qUYvCRjnBPcx2q7FH9G+KXr7di+y0vKhd+2az5kIY0QHZmvHa94Mn NSh6dTlTW14hMHtj2nMnez+ar2fcyw144G+LV8bcUUTfVt9Dva/EQABt7ExEp7ShzR PL9au949Ye8h6yiwAJLwW6Q2z+YXsuRbhUqsY5w4= From: Greg Kroah-Hartman To: linux-cve-announce@vger.kernel.org Cc: Greg Kroah-Hartman Subject: CVE-2023-54149: net: dsa: avoid suspicious RCU usage for synced VLAN-aware MAC addresses Date: Wed, 24 Dec 2025 14:07:46 +0100 Message-ID: <2025122426-CVE-2023-54149-e39f@gregkh> X-Mailer: git-send-email 2.52.0 Reply-To: , Precedence: bulk X-Mailing-List: linux-cve-announce@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=4755; i=gregkh@linuxfoundation.org; h=from:subject:message-id; bh=xavZpfpgQt434rjR/gP8pnjxkRrG83tooAsySm5EdWg=; b=owGbwMvMwCRo6H6F97bub03G02pJDJneT4NWh6/qnC7qvftukJBI99u051k2Ohf4NSfOeSm8R +bkM611HbEsDIJMDLJiiixftvEc3V9xSNHL0PY0zBxWJpAhDFycAjCRxr0MC3ZuX3Je8MLUYyw7 tC5YO89LnWdl/JZhNpv3hOnLftUdPrX3iYIL39eJ+ZNLEwA= X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 Content-Transfer-Encoding: 8bit From: Greg Kroah-Hartman Description =========== In the Linux kernel, the following vulnerability has been resolved: net: dsa: avoid suspicious RCU usage for synced VLAN-aware MAC addresses When using the felix driver (the only one which supports UC filtering and MC filtering) as a DSA master for a random other DSA switch, one can see the following stack trace when the downstream switch ports join a VLAN-aware bridge: ============================= WARNING: suspicious RCU usage ----------------------------- net/8021q/vlan_core.c:238 suspicious rcu_dereference_protected() usage! stack backtrace: Workqueue: dsa_ordered dsa_slave_switchdev_event_work Call trace: lockdep_rcu_suspicious+0x170/0x210 vlan_for_each+0x8c/0x188 dsa_slave_sync_uc+0x128/0x178 __hw_addr_sync_dev+0x138/0x158 dsa_slave_set_rx_mode+0x58/0x70 __dev_set_rx_mode+0x88/0xa8 dev_uc_add+0x74/0xa0 dsa_port_bridge_host_fdb_add+0xec/0x180 dsa_slave_switchdev_event_work+0x7c/0x1c8 process_one_work+0x290/0x568 What it's saying is that vlan_for_each() expects rtnl_lock() context and it's not getting it, when it's called from the DSA master's ndo_set_rx_mode(). The caller of that - dsa_slave_set_rx_mode() - is the slave DSA interface's dsa_port_bridge_host_fdb_add() which comes from the deferred dsa_slave_switchdev_event_work(). We went to great lengths to avoid the rtnl_lock() context in that call path in commit 0faf890fc519 ("net: dsa: drop rtnl_lock from dsa_slave_switchdev_event_work"), and calling rtnl_lock() is simply not an option due to the possibility of deadlocking when calling dsa_flush_workqueue() from the call paths that do hold rtnl_lock() - basically all of them. So, when the DSA master calls vlan_for_each() from its ndo_set_rx_mode(), the state of the 8021q driver on this device is really not protected from concurrent access by anything. Looking at net/8021q/, I don't think that vlan_info->vid_list was particularly designed with RCU traversal in mind, so introducing an RCU read-side form of vlan_for_each() - vlan_for_each_rcu() - won't be so easy, and it also wouldn't be exactly what we need anyway. In general I believe that the solution isn't in net/8021q/ anyway; vlan_for_each() is not cut out for this task. DSA doesn't need rtnl_lock() to be held per se - since it's not a netdev state change that we're blocking, but rather, just concurrent additions/removals to a VLAN list. We don't even need sleepable context - the callback of vlan_for_each() just schedules deferred work. The proposed escape is to remove the dependency on vlan_for_each() and to open-code a non-sleepable, rtnl-free alternative to that, based on copies of the VLAN list modified from .ndo_vlan_rx_add_vid() and .ndo_vlan_rx_kill_vid(). The Linux kernel CVE team has assigned CVE-2023-54149 to this issue. Affected and fixed versions =========================== Issue introduced in 6.3 with commit 64fdc5f341db01200e33105265d4b8450122a82e and fixed in 6.3.13 with commit 3948c69b3837fec2ee5a90fbc911c343199be0ac Issue introduced in 6.3 with commit 64fdc5f341db01200e33105265d4b8450122a82e and fixed in 6.4.4 with commit 3f9e79f31e51b7d5bf95c617540deb6cf2816a3f Issue introduced in 6.3 with commit 64fdc5f341db01200e33105265d4b8450122a82e and fixed in 6.5 with commit d06f925f13976ab82167c93467c70a337a0a3cda Issue introduced in 6.2.10 with commit 2daf967a24334865e51520e55190a646dd480cd7 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2023-54149 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: include/net/dsa.h net/dsa/dsa.c net/dsa/slave.c net/dsa/switch.c net/dsa/switch.h Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/3948c69b3837fec2ee5a90fbc911c343199be0ac https://git.kernel.org/stable/c/3f9e79f31e51b7d5bf95c617540deb6cf2816a3f https://git.kernel.org/stable/c/d06f925f13976ab82167c93467c70a337a0a3cda