In the Linux kernel, the following vulnerability has been resolved:
net: dsa: seville: register the mdiobus under devres
As explained in commits:
74b6d7d13307 (“net: dsa: realtek: register the MDIO bus under devres”)
5135e96a3dd2 (“net: dsa: don’t allocate the slave_mii_bus using devres”)
mdiobus_free() will panic when called from devm_mdiobus_free() <-
devres_release_all() <- __device_release_driver(), and that mdiobus was
not previously unregistered.
The Seville VSC9959 switch is a platform device, so the initial set of
constraints that I thought would cause this (I2C or SPI buses which call
->remove on ->shutdown) do not apply. But there is one more which
applies here.
If the DSA master itself is on a bus that calls ->remove from ->shutdown
(like dpaa2-eth, which is on the fsl-mc bus), there is a device link
between the switch and the DSA master, and device_links_unbind_consumers()
will unbind the seville switch driver on shutdown.
So the same treatment must be applied to all DSA switch drivers, which
is: either use devres for both the mdiobus allocation and registration,
or don’t use devres at all.
The seville driver has a code structure that could accommodate both the
mdiobus_unregister and mdiobus_free calls, but it has an external
dependency upon mscc_miim_setup() from mdio-mscc-miim.c, which calls
devm_mdiobus_alloc_size() on its behalf. So rather than restructuring
that, and exporting yet one more symbol mscc_miim_teardown(), let’s work
with devres and replace of_mdiobus_register with the devres variant.
When we use all-devres, we can ensure that devres doesn’t free a
still-registered bus (it either runs both callbacks, or none).
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 20.04 | noarch | linux-intel-iotg-5.15 | < any | UNKNOWN |
git.kernel.org/linus/bd488afc3b39e045ba71aab472233f2a78726e7b (5.17-rc4)
git.kernel.org/stable/c/0e816362d823cd46c666e64d8bffe329ee22f4cc
git.kernel.org/stable/c/1d13e7221035947c62800c9d3d99b4ed570e27e7
git.kernel.org/stable/c/bd488afc3b39e045ba71aab472233f2a78726e7b
launchpad.net/bugs/cve/CVE-2022-48814
nvd.nist.gov/vuln/detail/CVE-2022-48814
security-tracker.debian.org/tracker/CVE-2022-48814
www.cve.org/CVERecord?id=CVE-2022-48814