CVE-2023-53855
Description
In the Linux kernel, the following vulnerability has been resolved:
net: dsa: ocelot: call dsa_tag_8021q_unregister() under rtnl_lock() on driver remove
When the tagging protocol in current use is "ocelot-8021q" and we unbind the driver, we see this splat:
$ echo '0000:00:00.2' > /sys/bus/pci/drivers/fsl_enetc/unbind mscc_felix 0000:00:00.5 swp0: left promiscuous mode sja1105 spi2.0: Link is Down DSA: tree 1 torn down mscc_felix 0000:00:00.5 swp2: left promiscuous mode sja1105 spi2.2: Link is Down DSA: tree 3 torn down fsl_enetc 0000:00:00.2 eno2: left promiscuous mode mscc_felix 0000:00:00.5: Link is Down ------------[ cut here ]------------ RTNL: assertion failed at net/dsa/tag_8021q.c (409) WARNING: CPU: 1 PID: 329 at net/dsa/tag_8021q.c:409 dsa_tag_8021q_unregister+0x12c/0x1a0 Modules linked in: CPU: 1 PID: 329 Comm: bash Not tainted 6.5.0-rc3+ #771 pc : dsa_tag_8021q_unregister+0x12c/0x1a0 lr : dsa_tag_8021q_unregister+0x12c/0x1a0 Call trace: dsa_tag_8021q_unregister+0x12c/0x1a0 felix_tag_8021q_teardown+0x130/0x150 felix_teardown+0x3c/0xd8 dsa_tree_teardown_switches+0xbc/0xe0 dsa_unregister_switch+0x168/0x260 felix_pci_remove+0x30/0x60 pci_device_remove+0x4c/0x100 device_release_driver_internal+0x188/0x288 device_links_unbind_consumers+0xfc/0x138 device_release_driver_internal+0xe0/0x288 device_driver_detach+0x24/0x38 unbind_store+0xd8/0x108 drv_attr_store+0x30/0x50 ---[ end trace 0000000000000000 ]--- ------------[ cut here ]------------ RTNL: assertion failed at net/8021q/vlan_core.c (376) WARNING: CPU: 1 PID: 329 at net/8021q/vlan_core.c:376 vlan_vid_del+0x1b8/0x1f0 CPU: 1 PID: 329 Comm: bash Tainted: G W 6.5.0-rc3+ #771 pc : vlan_vid_del+0x1b8/0x1f0 lr : vlan_vid_del+0x1b8/0x1f0 dsa_tag_8021q_unregister+0x8c/0x1a0 felix_tag_8021q_teardown+0x130/0x150 felix_teardown+0x3c/0xd8 dsa_tree_teardown_switches+0xbc/0xe0 dsa_unregister_switch+0x168/0x260 felix_pci_remove+0x30/0x60 pci_device_remove+0x4c/0x100 device_release_driver_internal+0x188/0x288 device_links_unbind_consumers+0xfc/0x138 device_release_driver_internal+0xe0/0x288 device_driver_detach+0x24/0x38 unbind_store+0xd8/0x108 drv_attr_store+0x30/0x50 DSA: tree 0 torn down
This was somewhat not so easy to spot, because "ocelot-8021q" is not the default tagging protocol, and thus, not everyone who tests the unbinding path may have switched to it beforehand. The default felix_tag_npi_teardown() does not require rtnl_lock() to be held.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel, the ocelot DSA driver fails to hold rtnl_lock when unregistering the 802.1q tagging protocol during driver removal, triggering kernel warnings.
The vulnerability is a locking bug in the Linux kernel's DSA subsystem, specifically in the ocelot driver (used by devices like MSCC Felix). When the driver is removed (e.g., via PCI unbind), the function dsa_tag_8021q_unregister() is called without first acquiring the rtnl_lock, leading to a kernel assertion failure and a warning splat. The warning originates from net/dsa/tag_8021q.c (line 409) and subsequently from net/8021q/vlan_core.c (line 376), as the VLAN operations rely on RTNL protection [1].
The attack surface requires local access to the system with sufficient privileges to unbind the DSA driver (e.g., writing to /sys/bus/pci/drivers/.../unbind). The bug is triggered during the driver removal sequence, not through external network input. It does not require authentication over the network, but local root or physical access is typically needed to initiate the unbind operation.
The impact is a kernel warning that may cause system logs to be flooded and potentially lead to instability or a denial-of-service condition if the warning is treated as a kernel panic (depending on configuration). There is no evidence of memory corruption or privilege escalation. The primary consequence is a violation of kernel locking rules, which under certain circumstances could enable race conditions affecting VLAN state.
The issue is fixed in the Linux kernel by commit [1], which ensures that dsa_tag_8021q_unregister() is called under rtnl_lock() in the driver's remove path. Users are advised to apply the corresponding stable kernel update. No workaround is available other than avoiding driver unbind or using a patched kernel.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
3758dbcfb257e7ae8fa6b7097a94c16a2fda0Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.