CVE-2023-53855

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: dsa: ocelot: call dsa_tag_8021q_unregister() under rtnl_lock() on driver remove<br /> <br /> When the tagging protocol in current use is "ocelot-8021q" and we unbind<br /> the driver, we see this splat:<br /> <br /> $ echo &amp;#39;0000:00:00.2&amp;#39; &gt; /sys/bus/pci/drivers/fsl_enetc/unbind<br /> mscc_felix 0000:00:00.5 swp0: left promiscuous mode<br /> sja1105 spi2.0: Link is Down<br /> DSA: tree 1 torn down<br /> mscc_felix 0000:00:00.5 swp2: left promiscuous mode<br /> sja1105 spi2.2: Link is Down<br /> DSA: tree 3 torn down<br /> fsl_enetc 0000:00:00.2 eno2: left promiscuous mode<br /> mscc_felix 0000:00:00.5: Link is Down<br /> ------------[ cut here ]------------<br /> RTNL: assertion failed at net/dsa/tag_8021q.c (409)<br /> WARNING: CPU: 1 PID: 329 at net/dsa/tag_8021q.c:409 dsa_tag_8021q_unregister+0x12c/0x1a0<br /> Modules linked in:<br /> CPU: 1 PID: 329 Comm: bash Not tainted 6.5.0-rc3+ #771<br /> pc : dsa_tag_8021q_unregister+0x12c/0x1a0<br /> lr : dsa_tag_8021q_unregister+0x12c/0x1a0<br /> Call trace:<br /> dsa_tag_8021q_unregister+0x12c/0x1a0<br /> felix_tag_8021q_teardown+0x130/0x150<br /> felix_teardown+0x3c/0xd8<br /> dsa_tree_teardown_switches+0xbc/0xe0<br /> dsa_unregister_switch+0x168/0x260<br /> felix_pci_remove+0x30/0x60<br /> pci_device_remove+0x4c/0x100<br /> device_release_driver_internal+0x188/0x288<br /> device_links_unbind_consumers+0xfc/0x138<br /> device_release_driver_internal+0xe0/0x288<br /> device_driver_detach+0x24/0x38<br /> unbind_store+0xd8/0x108<br /> drv_attr_store+0x30/0x50<br /> ---[ end trace 0000000000000000 ]---<br /> ------------[ cut here ]------------<br /> RTNL: assertion failed at net/8021q/vlan_core.c (376)<br /> WARNING: CPU: 1 PID: 329 at net/8021q/vlan_core.c:376 vlan_vid_del+0x1b8/0x1f0<br /> CPU: 1 PID: 329 Comm: bash Tainted: G W 6.5.0-rc3+ #771<br /> pc : vlan_vid_del+0x1b8/0x1f0<br /> lr : vlan_vid_del+0x1b8/0x1f0<br /> dsa_tag_8021q_unregister+0x8c/0x1a0<br /> felix_tag_8021q_teardown+0x130/0x150<br /> felix_teardown+0x3c/0xd8<br /> dsa_tree_teardown_switches+0xbc/0xe0<br /> dsa_unregister_switch+0x168/0x260<br /> felix_pci_remove+0x30/0x60<br /> pci_device_remove+0x4c/0x100<br /> device_release_driver_internal+0x188/0x288<br /> device_links_unbind_consumers+0xfc/0x138<br /> device_release_driver_internal+0xe0/0x288<br /> device_driver_detach+0x24/0x38<br /> unbind_store+0xd8/0x108<br /> drv_attr_store+0x30/0x50<br /> DSA: tree 0 torn down<br /> <br /> This was somewhat not so easy to spot, because "ocelot-8021q" is not the<br /> default tagging protocol, and thus, not everyone who tests the unbinding<br /> path may have switched to it beforehand. The default<br /> felix_tag_npi_teardown() does not require rtnl_lock() to be held.