CVE-2023-54149

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: dsa: avoid suspicious RCU usage for synced VLAN-aware MAC addresses<br /> <br /> When using the felix driver (the only one which supports UC filtering<br /> and MC filtering) as a DSA master for a random other DSA switch, one can<br /> see the following stack trace when the downstream switch ports join a<br /> VLAN-aware bridge:<br /> <br /> =============================<br /> WARNING: suspicious RCU usage<br /> -----------------------------<br /> net/8021q/vlan_core.c:238 suspicious rcu_dereference_protected() usage!<br /> <br /> stack backtrace:<br /> Workqueue: dsa_ordered dsa_slave_switchdev_event_work<br /> Call trace:<br /> lockdep_rcu_suspicious+0x170/0x210<br /> vlan_for_each+0x8c/0x188<br /> dsa_slave_sync_uc+0x128/0x178<br /> __hw_addr_sync_dev+0x138/0x158<br /> dsa_slave_set_rx_mode+0x58/0x70<br /> __dev_set_rx_mode+0x88/0xa8<br /> dev_uc_add+0x74/0xa0<br /> dsa_port_bridge_host_fdb_add+0xec/0x180<br /> dsa_slave_switchdev_event_work+0x7c/0x1c8<br /> process_one_work+0x290/0x568<br /> <br /> What it&amp;#39;s saying is that vlan_for_each() expects rtnl_lock() context and<br /> it&amp;#39;s not getting it, when it&amp;#39;s called from the DSA master&amp;#39;s ndo_set_rx_mode().<br /> <br /> The caller of that - dsa_slave_set_rx_mode() - is the slave DSA<br /> interface&amp;#39;s dsa_port_bridge_host_fdb_add() which comes from the deferred<br /> dsa_slave_switchdev_event_work().<br /> <br /> We went to great lengths to avoid the rtnl_lock() context in that call<br /> path in commit 0faf890fc519 ("net: dsa: drop rtnl_lock from<br /> dsa_slave_switchdev_event_work"), and calling rtnl_lock() is simply not<br /> an option due to the possibility of deadlocking when calling<br /> dsa_flush_workqueue() from the call paths that do hold rtnl_lock() -<br /> basically all of them.<br /> <br /> So, when the DSA master calls vlan_for_each() from its ndo_set_rx_mode(),<br /> the state of the 8021q driver on this device is really not protected<br /> from concurrent access by anything.<br /> <br /> Looking at net/8021q/, I don&amp;#39;t think that vlan_info-&gt;vid_list was<br /> particularly designed with RCU traversal in mind, so introducing an RCU<br /> read-side form of vlan_for_each() - vlan_for_each_rcu() - won&amp;#39;t be so<br /> easy, and it also wouldn&amp;#39;t be exactly what we need anyway.<br /> <br /> In general I believe that the solution isn&amp;#39;t in net/8021q/ anyway;<br /> vlan_for_each() is not cut out for this task. DSA doesn&amp;#39;t need rtnl_lock()<br /> to be held per se - since it&amp;#39;s not a netdev state change that we&amp;#39;re<br /> blocking, but rather, just concurrent additions/removals to a VLAN list.<br /> We don&amp;#39;t even need sleepable context - the callback of vlan_for_each()<br /> just schedules deferred work.<br /> <br /> The proposed escape is to remove the dependency on vlan_for_each() and<br /> to open-code a non-sleepable, rtnl-free alternative to that, based on<br /> copies of the VLAN list modified from .ndo_vlan_rx_add_vid() and<br /> .ndo_vlan_rx_kill_vid().