{
  "threat_severity" : "Low",
  "public_date" : "2025-12-09T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: l2tp: Avoid possible recursive deadlock in l2tp_tunnel_register()",
    "id" : "2420256",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2420256"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nl2tp: Avoid possible recursive deadlock in l2tp_tunnel_register()\nWhen a file descriptor of pppol2tp socket is passed as file descriptor\nof UDP socket, a recursive deadlock occurs in l2tp_tunnel_register().\nThis situation is reproduced by the following program:\nint main(void)\n{\nint sock;\nstruct sockaddr_pppol2tp addr;\nsock = socket(AF_PPPOX, SOCK_DGRAM, PX_PROTO_OL2TP);\nif (sock < 0) {\nperror(\"socket\");\nreturn 1;\n}\naddr.sa_family = AF_PPPOX;\naddr.sa_protocol = PX_PROTO_OL2TP;\naddr.pppol2tp.pid = 0;\naddr.pppol2tp.fd = sock;\naddr.pppol2tp.addr.sin_family = PF_INET;\naddr.pppol2tp.addr.sin_port = htons(0);\naddr.pppol2tp.addr.sin_addr.s_addr = inet_addr(\"192.168.0.1\");\naddr.pppol2tp.s_tunnel = 1;\naddr.pppol2tp.s_session = 0;\naddr.pppol2tp.d_tunnel = 0;\naddr.pppol2tp.d_session = 0;\nif (connect(sock, (const struct sockaddr *)&addr, sizeof(addr)) < 0) {\nperror(\"connect\");\nreturn 1;\n}\nreturn 0;\n}\nThis program causes the following lockdep warning:\n============================================\nWARNING: possible recursive locking detected\n6.2.0-rc5-00205-gc96618275234 #56 Not tainted\n--------------------------------------------\nrepro/8607 is trying to acquire lock:\nffff8880213c8130 (sk_lock-AF_PPPOX){+.+.}-{0:0}, at: l2tp_tunnel_register+0x2b7/0x11c0\nbut task is already holding lock:\nffff8880213c8130 (sk_lock-AF_PPPOX){+.+.}-{0:0}, at: pppol2tp_connect+0xa82/0x1a30\nother info that might help us debug this:\nPossible unsafe locking scenario:\nCPU0\n----\nlock(sk_lock-AF_PPPOX);\nlock(sk_lock-AF_PPPOX);\n*** DEADLOCK ***\nMay be due to missing lock nesting notation\n1 lock held by repro/8607:\n#0: ffff8880213c8130 (sk_lock-AF_PPPOX){+.+.}-{0:0}, at: pppol2tp_connect+0xa82/0x1a30\nstack backtrace:\nCPU: 0 PID: 8607 Comm: repro Not tainted 6.2.0-rc5-00205-gc96618275234 #56\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014\nCall Trace:\n<TASK>\ndump_stack_lvl+0x100/0x178\n__lock_acquire.cold+0x119/0x3b9\n? lockdep_hardirqs_on_prepare+0x410/0x410\nlock_acquire+0x1e0/0x610\n? l2tp_tunnel_register+0x2b7/0x11c0\n? lock_downgrade+0x710/0x710\n? __fget_files+0x283/0x3e0\nlock_sock_nested+0x3a/0xf0\n? l2tp_tunnel_register+0x2b7/0x11c0\nl2tp_tunnel_register+0x2b7/0x11c0\n? sprintf+0xc4/0x100\n? l2tp_tunnel_del_work+0x6b0/0x6b0\n? debug_object_deactivate+0x320/0x320\n? lockdep_init_map_type+0x16d/0x7a0\n? lockdep_init_map_type+0x16d/0x7a0\n? l2tp_tunnel_create+0x2bf/0x4b0\n? l2tp_tunnel_create+0x3c6/0x4b0\npppol2tp_connect+0x14e1/0x1a30\n? pppol2tp_put_sk+0xd0/0xd0\n? aa_sk_perm+0x2b7/0xa80\n? aa_af_perm+0x260/0x260\n? bpf_lsm_socket_connect+0x9/0x10\n? pppol2tp_put_sk+0xd0/0xd0\n__sys_connect_file+0x14f/0x190\n__sys_connect+0x133/0x160\n? __sys_connect_file+0x190/0x190\n? lockdep_hardirqs_on+0x7d/0x100\n? ktime_get_coarse_real_ts64+0x1b7/0x200\n? ktime_get_coarse_real_ts64+0x147/0x200\n? __audit_syscall_entry+0x396/0x500\n__x64_sys_connect+0x72/0xb0\ndo_syscall_64+0x38/0xb0\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\nThis patch fixes the issue by getting/creating the tunnel before\nlocking the pppol2tp socket." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-05-09T00:00:00Z",
    "advisory" : "RHSA-2023:2458",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-284.11.1.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-05-09T00:00:00Z",
    "advisory" : "RHSA-2023:2458",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-284.11.1.el9_2"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-53809\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-53809\nhttps://lore.kernel.org/linux-cve-announce/2025120944-CVE-2023-53809-ca78@gregkh/T" ],
  "name" : "CVE-2023-53809",
  "csaw" : false
}