Fixed
Created: Dec 10, 2025
Updated: Dec 11, 2025
Resolved Date: Dec 10, 2025
Found In Version: 10.23.30.1
Fix Version: 10.23.30.2
Severity: Standard
Applicable for: Wind River Linux LTS 23
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:[EOL][EOL]net: dsa: ocelot: call dsa_tag_8021q_unregister() under rtnl_lock() on driver remove[EOL][EOL]When the tagging protocol in current use is "ocelot-8021q" and we unbind[EOL]the driver, we see this splat:[EOL][EOL]$ echo '0000:00:00.2' > /sys/bus/pci/drivers/fsl_enetc/unbind[EOL]mscc_felix 0000:00:00.5 swp0: left promiscuous mode[EOL]sja1105 spi2.0: Link is Down[EOL]DSA: tree 1 torn down[EOL]mscc_felix 0000:00:00.5 swp2: left promiscuous mode[EOL]sja1105 spi2.2: Link is Down[EOL]DSA: tree 3 torn down[EOL]fsl_enetc 0000:00:00.2 eno2: left promiscuous mode[EOL]mscc_felix 0000:00:00.5: Link is Down[EOL]------------[ cut here ]------------[EOL]RTNL: assertion failed at net/dsa/tag_8021q.c (409)[EOL]WARNING: CPU: 1 PID: 329 at net/dsa/tag_8021q.c:409 dsa_tag_8021q_unregister+0x12c/0x1a0[EOL]Modules linked in:[EOL]CPU: 1 PID: 329 Comm: bash Not tainted 6.5.0-rc3+ #771[EOL]pc : dsa_tag_8021q_unregister+0x12c/0x1a0[EOL]lr : dsa_tag_8021q_unregister+0x12c/0x1a0[EOL]Call trace:[EOL] dsa_tag_8021q_unregister+0x12c/0x1a0[EOL] felix_tag_8021q_teardown+0x130/0x150[EOL] felix_teardown+0x3c/0xd8[EOL] dsa_tree_teardown_switches+0xbc/0xe0[EOL] dsa_unregister_switch+0x168/0x260[EOL] felix_pci_remove+0x30/0x60[EOL] pci_device_remove+0x4c/0x100[EOL] device_release_driver_internal+0x188/0x288[EOL] device_links_unbind_consumers+0xfc/0x138[EOL] device_release_driver_internal+0xe0/0x288[EOL] device_driver_detach+0x24/0x38[EOL] unbind_store+0xd8/0x108[EOL] drv_attr_store+0x30/0x50[EOL]---[ end trace 0000000000000000 ]---[EOL]------------[ cut here ]------------[EOL]RTNL: assertion failed at net/8021q/vlan_core.c (376)[EOL]WARNING: CPU: 1 PID: 329 at net/8021q/vlan_core.c:376 vlan_vid_del+0x1b8/0x1f0[EOL]CPU: 1 PID: 329 Comm: bash Tainted: G W 6.5.0-rc3+ #771[EOL]pc : vlan_vid_del+0x1b8/0x1f0[EOL]lr : vlan_vid_del+0x1b8/0x1f0[EOL] dsa_tag_8021q_unregister+0x8c/0x1a0[EOL] felix_tag_8021q_teardown+0x130/0x150[EOL] felix_teardown+0x3c/0xd8[EOL] dsa_tree_teardown_switches+0xbc/0xe0[EOL] dsa_unregister_switch+0x168/0x260[EOL] felix_pci_remove+0x30/0x60[EOL] pci_device_remove+0x4c/0x100[EOL] device_release_driver_internal+0x188/0x288[EOL] device_links_unbind_consumers+0xfc/0x138[EOL] device_release_driver_internal+0xe0/0x288[EOL] device_driver_detach+0x24/0x38[EOL] unbind_store+0xd8/0x108[EOL] drv_attr_store+0x30/0x50[EOL]DSA: tree 0 torn down[EOL][EOL]This was somewhat not so easy to spot, because "ocelot-8021q" is not the[EOL]default tagging protocol, and thus, not everyone who tests the unbinding[EOL]path may have switched to it beforehand. The default[EOL]felix_tag_npi_teardown() does not require rtnl_lock() to be held.
