CVE-2023-53855 in Linuxinfo

Summary

by MITRE • 12/09/2025

In the Linux kernel, the following vulnerability has been resolved:

net: dsa: ocelot: call dsa_tag_8021q_unregister() under rtnl_lock() on driver remove

When the tagging protocol in current use is "ocelot-8021q" and we unbind the driver, we see this splat:

$ echo '0000:00:00.2' > /sys/bus/pci/drivers/fsl_enetc/unbind mscc_felix 0000:00:00.5 swp0: left promiscuous mode sja1105 spi2.0: Link is Down DSA: tree 1 torn down mscc_felix 0000:00:00.5 swp2: left promiscuous mode sja1105 spi2.2: Link is Down DSA: tree 3 torn down fsl_enetc 0000:00:00.2 eno2: left promiscuous mode mscc_felix 0000:00:00.5: Link is Down ------------[ cut here ]------------
RTNL: assertion failed at net/dsa/tag_8021q.c (409) WARNING: CPU: 1 PID: 329 at net/dsa/tag_8021q.c:409 dsa_tag_8021q_unregister+0x12c/0x1a0 Modules linked in: CPU: 1 PID: 329 Comm: bash Not tainted 6.5.0-rc3+ #771 pc : dsa_tag_8021q_unregister+0x12c/0x1a0 lr : dsa_tag_8021q_unregister+0x12c/0x1a0 Call trace: dsa_tag_8021q_unregister+0x12c/0x1a0 felix_tag_8021q_teardown+0x130/0x150 felix_teardown+0x3c/0xd8 dsa_tree_teardown_switches+0xbc/0xe0 dsa_unregister_switch+0x168/0x260 felix_pci_remove+0x30/0x60 pci_device_remove+0x4c/0x100 device_release_driver_internal+0x188/0x288 device_links_unbind_consumers+0xfc/0x138 device_release_driver_internal+0xe0/0x288 device_driver_detach+0x24/0x38 unbind_store+0xd8/0x108 drv_attr_store+0x30/0x50 ---[ end trace 0000000000000000 ]---
------------[ cut here ]------------
RTNL: assertion failed at net/8021q/vlan_core.c (376) WARNING: CPU: 1 PID: 329 at net/8021q/vlan_core.c:376 vlan_vid_del+0x1b8/0x1f0 CPU: 1 PID: 329 Comm: bash Tainted: G W 6.5.0-rc3+ #771 pc : vlan_vid_del+0x1b8/0x1f0 lr : vlan_vid_del+0x1b8/0x1f0 dsa_tag_8021q_unregister+0x8c/0x1a0 felix_tag_8021q_teardown+0x130/0x150 felix_teardown+0x3c/0xd8 dsa_tree_teardown_switches+0xbc/0xe0 dsa_unregister_switch+0x168/0x260 felix_pci_remove+0x30/0x60 pci_device_remove+0x4c/0x100 device_release_driver_internal+0x188/0x288 device_links_unbind_consumers+0xfc/0x138 device_release_driver_internal+0xe0/0x288 device_driver_detach+0x24/0x38 unbind_store+0xd8/0x108 drv_attr_store+0x30/0x50 DSA: tree 0 torn down

This was somewhat not so easy to spot, because "ocelot-8021q" is not the default tagging protocol, and thus, not everyone who tests the unbinding path may have switched to it beforehand. The default felix_tag_npi_teardown() does not require rtnl_lock() to be held.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 03/30/2026

The vulnerability described in CVE-2023-53855 resides within the Linux kernel's Data Switch Architecture (DSA) subsystem, specifically affecting the ocelot driver implementation. This issue manifests during the driver removal process when the "ocelot-8021q" tagging protocol is active, creating a critical race condition that results in kernel panics and system instability. The flaw occurs when attempting to unbind the fsl_enetc driver from a PCI device, triggering a cascade of operations that fail due to improper locking mechanisms. The error trace reveals two distinct assertion failures within the kernel's networking stack, first in net/dsa/tag_8021q.c at line 409 and subsequently in net/8021q/vlan_core.c at line 376, both occurring during the cleanup phase of DSA tree teardown operations.

The technical root cause stems from a missing synchronization primitive during the driver removal sequence. When the ocelot-8021q tagging protocol is in use, the dsa_tag_8021q_unregister() function must be executed under the rtnl_lock() to ensure thread safety and prevent concurrent access to shared data structures. However, during driver removal, this lock is not properly acquired, leading to a situation where the function attempts to modify VLAN-related data structures while they may be in an inconsistent state. This violates fundamental kernel locking principles and violates the requirements defined by the Linux kernel's locking documentation and the established patterns for DSA subsystem operations. The issue is particularly insidious because the default tagging protocol does not exhibit this behavior, making it difficult to reproduce and test.

The operational impact of this vulnerability is severe, as it can cause complete system crashes or kernel oops during normal driver unbinding operations, which may occur during system maintenance, hardware hot-plugging, or driver updates. The vulnerability affects systems using the fsl_enetc driver with the ocelot-8021q tagging protocol, which is commonly found in network switches and embedded systems where DSA is utilized for managing multiple switch ports. This issue directly relates to the Common Weakness Enumeration (CWE) category CWE-362, which describes race conditions, and aligns with the MITRE ATT&CK framework's T1490 technique for 'Inhibit System Recovery' through kernel-level disruptions. The vulnerability can be exploited by any entity with access to the system's PCI device unbinding interface, potentially leading to denial of service or system compromise.

Mitigation strategies for CVE-2023-53855 involve applying the kernel patch that ensures dsa_tag_8021q_unregister() is always called under the rtnl_lock() during driver removal operations. System administrators should update to kernel versions that contain this fix, typically those including the commit that addresses the specific locking issue. Organizations should also implement monitoring for unusual driver unbinding activities and ensure proper testing procedures are in place before deploying kernel updates. Additionally, disabling the ocelot-8021q tagging protocol when not actively required can serve as a temporary workaround. The fix aligns with the kernel's established best practices for concurrent access control and follows the recommended patterns for DSA driver lifecycle management. Security teams should also consider implementing automated patch management systems to ensure timely deployment of kernel security updates across all affected systems.

Responsible

Linux

Reservation

12/09/2025

Disclosure

12/09/2025

Moderation

accepted

CPE

ready

EPSS

0.00192

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!