{"id":"CVE-2023-53188","summary":"net: openvswitch: fix race on port output","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: openvswitch: fix race on port output\n\nassume the following setup on a single machine:\n1. An openvswitch instance with one bridge and default flows\n2. two network namespaces \"server\" and \"client\"\n3. two ovs interfaces \"server\" and \"client\" on the bridge\n4. for each ovs interface a veth pair with a matching name and 32 rx and\n   tx queues\n5. move the ends of the veth pairs to the respective network namespaces\n6. assign ip addresses to each of the veth ends in the namespaces (needs\n   to be the same subnet)\n7. start some http server on the server network namespace\n8. test if a client in the client namespace can reach the http server\n\nwhen following the actions below the host has a chance of getting a cpu\nstuck in a infinite loop:\n1. send a large amount of parallel requests to the http server (around\n   3000 curls should work)\n2. in parallel delete the network namespace (do not delete interfaces or\n   stop the server, just kill the namespace)\n\nthere is a low chance that this will cause the below kernel cpu stuck\nmessage. If this does not happen just retry.\nBelow there is also the output of bpftrace for the functions mentioned\nin the output.\n\nThe series of events happening here is:\n1. the network namespace is deleted calling\n   `unregister_netdevice_many_notify` somewhere in the process\n2. this sets first `NETREG_UNREGISTERING` on both ends of the veth and\n   then runs `synchronize_net`\n3. it then calls `call_netdevice_notifiers` with `NETDEV_UNREGISTER`\n4. this is then handled by `dp_device_event` which calls\n   `ovs_netdev_detach_dev` (if a vport is found, which is the case for\n   the veth interface attached to ovs)\n5. this removes the rx_handlers of the device but does not prevent\n   packages to be sent to the device\n6. `dp_device_event` then queues the vport deletion to work in\n   background as a ovs_lock is needed that we do not hold in the\n   unregistration path\n7. `unregister_netdevice_many_notify` continues to call\n   `netdev_unregister_kobject` which sets `real_num_tx_queues` to 0\n8. port deletion continues (but details are not relevant for this issue)\n9. at some future point the background task deletes the vport\n\nIf after 7. but before 9. a packet is send to the ovs vport (which is\nnot deleted at this point in time) which forwards it to the\n`dev_queue_xmit` flow even though the device is unregistering.\nIn `skb_tx_hash` (which is called in the `dev_queue_xmit`) path there is\na while loop (if the packet has a rx_queue recorded) that is infinite if\n`dev-\u003ereal_num_tx_queues` is zero.\n\nTo prevent this from happening we update `do_output` to handle devices\nwithout carrier the same as if the device is not found (which would\nbe the code path after 9. is done).\n\nAdditionally we now produce a warning in `skb_tx_hash` if we will hit\nthe infinite loop.\n\nbpftrace (first word is function name):\n\n__dev_queue_xmit server: real_num_tx_queues: 1, cpu: 2, pid: 28024, tid: 28024, skb_addr: 0xffff9edb6f207000, reg_state: 1\nnetdev_core_pick_tx server: addr: 0xffff9f0a46d4a000 real_num_tx_queues: 1, cpu: 2, pid: 28024, tid: 28024, skb_addr: 0xffff9edb6f207000, reg_state: 1\ndp_device_event server: real_num_tx_queues: 1 cpu 9, pid: 21024, tid: 21024, event 2, reg_state: 1\nsynchronize_rcu_expedited: cpu 9, pid: 21024, tid: 21024\nsynchronize_rcu_expedited: cpu 9, pid: 21024, tid: 21024\nsynchronize_rcu_expedited: cpu 9, pid: 21024, tid: 21024\nsynchronize_rcu_expedited: cpu 9, pid: 21024, tid: 21024\ndp_device_event server: real_num_tx_queues: 1 cpu 9, pid: 21024, tid: 21024, event 6, reg_state: 2\novs_netdev_detach_dev server: real_num_tx_queues: 1 cpu 9, pid: 21024, tid: 21024, reg_state: 2\nnetdev_rx_handler_unregister server: real_num_tx_queues: 1, cpu: 9, pid: 21024, tid: 21024, reg_state: 2\nsynchronize_rcu_expedited: cpu 9, pid: 21024, tid: 21024\nnetdev_rx_handler_unregister ret server: real_num_tx_queues: 1, cpu: 9, pid: 21024, tid: 21024, reg_state: 2\ndp_\n---truncated---","modified":"2026-04-02T09:43:45.980145Z","published":"2025-09-15T14:04:52.248Z","related":["SUSE-SU-2025:4189-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53188.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/066b86787fa3d97b7aefb5ac0a99a22dad2d15f8"},{"type":"WEB","url":"https://git.kernel.org/stable/c/284be5db6c8d06d247ed056cfc448c4f79bbb16c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/56252da41426f3d01957456f13caf46ce670ea29"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5efcb301523baacd98a47553d4996e924923114d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/644b3051b06ba465bc7401bfae9b14963cbc8c1c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9b0dd09c1ceb35950d2884848099fccc9ec9a123"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53188.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-53188"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"7f8a436eaa2c3ddd8e1ff2fbca267e6275085536"},{"fixed":"9b0dd09c1ceb35950d2884848099fccc9ec9a123"},{"fixed":"284be5db6c8d06d247ed056cfc448c4f79bbb16c"},{"fixed":"5efcb301523baacd98a47553d4996e924923114d"},{"fixed":"644b3051b06ba465bc7401bfae9b14963cbc8c1c"},{"fixed":"56252da41426f3d01957456f13caf46ce670ea29"},{"fixed":"066b86787fa3d97b7aefb5ac0a99a22dad2d15f8"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-53188.json"}}],"schema_version":"1.7.5"}