Lucene search
K

Unity Linux 20.1070e Security Update: kernel (UTSA-2025-987547)

🗓️ 21 Oct 2025 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 2 Views

Kernel fix for mv88e6xxx mdiobus devres panic on shutdown (UTSA-2025-987547).

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(270898);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/10/21");

  script_cve_id("CVE-2022-48818");

  script_name(english:"Unity Linux 20.1070e Security Update: kernel (UTSA-2025-987547)");

  script_set_attribute(attribute:"synopsis", value:
"The Unity Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the
UTSA-2025-987547 advisory.

    In the Linux kernel, the following vulnerability has been resolved:

    net: dsa: mv88e6xxx: don't use devres for mdiobus

    As explained in commits:
    74b6d7d13307 (net: dsa: realtek: register the MDIO bus under devres)
    5135e96a3dd2 (net: dsa: don't allocate the slave_mii_bus using devres)

    mdiobus_free() will panic when called from devm_mdiobus_free() <-
    devres_release_all() <- __device_release_driver(), and that mdiobus was
    not previously unregistered.

    The mv88e6xxx is an MDIO device, so the initial set of constraints that
    I thought would cause this (I2C or SPI buses which call ->remove on
    ->shutdown) do not apply. But there is one more which applies here.

    If the DSA master itself is on a bus that calls ->remove from ->shutdown
    (like dpaa2-eth, which is on the fsl-mc bus), there is a device link
    between the switch and the DSA master, and device_links_unbind_consumers()
    will unbind the Marvell switch driver on shutdown.

    systemd-shutdown[1]: Powering off.
    mv88e6085 0x0000000008b96000:00 sw_gl0: Link is Down
    fsl-mc dpbp.9: Removing from iommu group 7
    fsl-mc dpbp.8: Removing from iommu group 7
    ------------[ cut here ]------------
    kernel BUG at drivers/net/phy/mdio_bus.c:677!
    Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
    Modules linked in:
    CPU: 0 PID: 1 Comm: systemd-shutdow Not tainted 5.16.5-00040-gdc05f73788e5 #15
    pc : mdiobus_free+0x44/0x50
    lr : devm_mdiobus_free+0x10/0x20
    Call trace:
     mdiobus_free+0x44/0x50
     devm_mdiobus_free+0x10/0x20
     devres_release_all+0xa0/0x100
     __device_release_driver+0x190/0x220
     device_release_driver_internal+0xac/0xb0
     device_links_unbind_consumers+0xd4/0x100
     __device_release_driver+0x4c/0x220
     device_release_driver_internal+0xac/0xb0
     device_links_unbind_consumers+0xd4/0x100
     __device_release_driver+0x94/0x220
     device_release_driver+0x28/0x40
     bus_remove_device+0x118/0x124
     device_del+0x174/0x420
     fsl_mc_device_remove+0x24/0x40
     __fsl_mc_device_remove+0xc/0x20
     device_for_each_child+0x58/0xa0
     dprc_remove+0x90/0xb0
     fsl_mc_driver_remove+0x20/0x5c
     __device_release_driver+0x21c/0x220
     device_release_driver+0x28/0x40
     bus_remove_device+0x118/0x124
     device_del+0x174/0x420
     fsl_mc_bus_remove+0x80/0x100
     fsl_mc_bus_shutdown+0xc/0x1c
     platform_shutdown+0x20/0x30
     device_shutdown+0x154/0x330
     kernel_power_off+0x34/0x6c
     __do_sys_reboot+0x15c/0x250
     __arm64_sys_reboot+0x20/0x30
     invoke_syscall.constprop.0+0x4c/0xe0
     do_el0_svc+0x4c/0x150
     el0_svc+0x24/0xb0
     el0t_64_sync_handler+0xa8/0xb0
     el0t_64_sync+0x178/0x17c

    So the same treatment must be applied to all DSA switch drivers, which
    is: either use devres for both the mdiobus allocation and registration,
    or don't use devres at all.

    The Marvell driver already has a good structure for mdiobus removal, so
    just plug in mdiobus_free and get rid of devres.

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://src.uniontech.com/#/security_advisory_detail?utsa_id=UTSA-2025-987547
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6bb0f56e");
  # https://lore.kernel.org/linux-cve-announce/2024071649-CVE-2022-48818-4dbb@gregkh
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f1a1e8dc");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2022-48818");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-48818");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2022/03/08");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/10/15");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/10/21");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Unity Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/UOS-Server/release", "Host/UOS-Server/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'UOS Server' >!< os_product) audit(AUDIT_OS_NOT, 'UOS Server');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'UOS Server');
if (! preg(pattern:"^20.1070e([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'UOS Server 20.1070e', 'UOS Server ' + os_version);

if (!get_kb_item('Host/UOS-Server/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'amd64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'UOS Server', cpu);


var constraints = [
  {
    'release': '20',
    'sp': '1070e',
    'pkgs': [
      {'reference':'kernel-5.10.0-74.15', 'sp':'1070e', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-74.15', 'sp':'1070e', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-74.15', 'sp':'1070e', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}


if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

21 Oct 2025 00:00Current
5.9Medium risk
Vulners AI Score5.9
CVSS 3.15.5
EPSS0.00273
SSVC
2