CVE-2023-54149: net: dsa: avoid suspicious RCU usage for synced VLAN-aware MAC addresses
In the Linux kernel, the following vulnerability has been resolved:
net: dsa: avoid suspicious RCU usage for synced VLAN-aware MAC addresses
When using the felix driver (the only one which supports UC filtering
and MC filtering) as a DSA master for a random other DSA switch, one can
see the following stack trace when the downstream switch ports join a
VLAN-aware bridge:
=============================
WARNING: suspicious RCU usage
-----------------------------
net/8021q/vlan_core.c:238 suspicious rcu_dereference_protected() usage!
stack backtrace:
Workqueue: dsa_ordered dsa_slave_switchdev_event_work
Call trace:
lockdep_rcu_suspicious+0x170/0x210
vlan_for_each+0x8c/0x188
dsa_slave_sync_uc+0x128/0x178
__hw_addr_sync_dev+0x138/0x158
dsa_slave_set_rx_mode+0x58/0x70
__dev_set_rx_mode+0x88/0xa8
dev_uc_add+0x74/0xa0
dsa_port_bridge_host_fdb_add+0xec/0x180
dsa_slave_switchdev_event_work+0x7c/0x1c8
process_one_work+0x290/0x568
What it's saying is that vlan_for_each() expects rtnl_lock() context and
it's not getting it, when it's called from the DSA master's ndo_set_rx_mode().
The caller of that - dsa_slave_set_rx_mode() - is the slave DSA
interface's dsa_port_bridge_host_fdb_add() which comes from the deferred
dsa_slave_switchdev_event_work().
We went to great lengths to avoid the rtnl_lock() context in that call
path in commit 0faf890fc519 ("net: dsa: drop rtnl_lock from
dsa_slave_switchdev_event_work"), and calling rtnl_lock() is simply not
an option due to the possibility of deadlocking when calling
dsa_flush_workqueue() from the call paths that do hold rtnl_lock() -
basically all of them.
So, when the DSA master calls vlan_for_each() from its ndo_set_rx_mode(),
the state of the 8021q driver on this device is really not protected
from concurrent access by anything.
Looking at net/8021q/, I don't think that vlan_info->vid_list was
particularly designed with RCU traversal in mind, so introducing an RCU
read-side form of vlan_for_each() - vlan_for_each_rcu() - won't be so
easy, and it also wouldn't be exactly what we need anyway.
In general I believe that the solution isn't in net/8021q/ anyway;
vlan_for_each() is not cut out for this task. DSA doesn't need rtnl_lock()
to be held per se - since it's not a netdev state change that we're
blocking, but rather, just concurrent additions/removals to a VLAN list.
We don't even need sleepable context - the callback of vlan_for_each()
just schedules deferred work.
The proposed escape is to remove the dependency on vlan_for_each() and
to open-code a non-sleepable, rtnl-free alternative to that, based on
copies of the VLAN list modified from .ndo_vlan_rx_add_vid() and
.ndo_vlan_rx_kill_vid().
Security readout for executives and security teams
Plain-English summary
This is a Linux kernel networking bug in a specialized switch configuration. It involves unsafe concurrent access around VLAN-aware bridge handling for DSA switches, especially when the felix driver is used as a DSA master. The supplied sources show a kernel warning and a resolved upstream issue, but do not establish active exploitation or business impact severity.
Executive priority
Treat this as targeted infrastructure hygiene rather than an internet-wide emergency. Patch affected network appliances, embedded Linux platforms, or servers using DSA switch hardware, especially where VLAN-aware bridging is deployed. Escalate if these systems are production network control points.
Technical view
The flaw is in Linux DSA MAC address synchronization for VLAN-aware bridges. The call path reaches vlan_for_each() from ndo_set_rx_mode() without rtnl_lock(), leaving 8021q VLAN list state insufficiently protected against concurrent access. The kernel fix avoids vlan_for_each() in this path and tracks VLAN list copies updated through VLAN add and delete callbacks.
Likely exposure
Exposure appears limited to Linux systems using DSA switch infrastructure, particularly felix as a DSA master with downstream switch ports in VLAN-aware bridges. General Linux servers without this switching topology are less likely to be exposed. The bundle provides kernel version metadata but no distro package mapping or CPEs.
Exploitation context
The sources describe a suspicious RCU usage warning and concurrency issue, not a public exploit path. KEV is false in the bundle, and no cited source claims active exploitation. Impact beyond potential kernel networking instability is not established by the provided evidence.
Researcher notes
Evidence is strongest for root cause and upstream fix direction, but weak for exploitability, affected distro packages, and practical impact. The important validation question is whether a system runs the specific DSA/felix/VLAN-aware bridge topology described by the kernel advisory.
Mitigation direction
Update to a Linux kernel or vendor package containing the referenced stable fixes.
Check distribution advisories for backported fixes matching CVE-2023-54149.
Prioritize systems using DSA, felix, and VLAN-aware bridge configurations.
Avoid affected DSA/VLAN-aware bridge combinations where operationally feasible until patched.
Test network switching and VLAN behavior after applying kernel updates.
Validation and detection
Inventory Linux kernels on systems using DSA-managed switch hardware.
Confirm whether felix is used as a DSA master in the environment.
Review kernel logs for suspicious RCU usage involving vlan_for_each or dsa_slave_sync_uc.
Verify vendor kernel changelogs reference CVE-2023-54149 or the stable commits.
Validate VLAN-aware bridge behavior in staging after patching.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2023-54149 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
0ADP providers
4Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Dec 24, 2025, 13:07 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.