CVE-2022-48817

Summary

In the Linux kernel, the following vulnerability has been resolved:

net: dsa: ar9331: register the mdiobus under devres

As explained in commits: 74b6d7d13307 ("net: dsa: realtek: register the MDIO bus under devres") 5135e96a3dd2 ("net: dsa: don't allocate the slave_mii_bus using devres")

mdiobus_free() will panic when called from devm_mdiobus_free() <- devres_release_all() <- __device_release_driver(), and that mdiobus was not previously unregistered.

The ar9331 is an MDIO device, so the initial set of constraints that I thought would cause this (I2C or SPI buses which call ->remove on ->shutdown) do not apply. But there is one more which applies here.

If the DSA master itself is on a bus that calls ->remove from ->shutdown (like dpaa2-eth, which is on the fsl-mc bus), there is a device link between the switch and the DSA master, and device_links_unbind_consumers() will unbind the ar9331 switch driver on shutdown.

So the same treatment must be applied to all DSA switch drivers, which is: either use devres for both the mdiobus allocation and registration, or don't use devres at all.

The ar9331 driver doesn't have a complex code structure for mdiobus removal, so just replace of_mdiobus_register with the devres variant in order to be all-devres and ensure that we don't free a still-registered bus.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxac3a68d56651c3dad2c12c7afce065fe15267f44 < 475ce5dcf2d88fd4f3c213a0ac944e3e40702970affected
LinuxLinuxac3a68d56651c3dad2c12c7afce065fe15267f44 < aae1c6a1d3d696fc33b609fb12fe744a556d1dc5affected
LinuxLinuxac3a68d56651c3dad2c12c7afce065fe15267f44 < f1842a8cb71de4d7eb75a86f76e88c7ee739218caffected
LinuxLinuxac3a68d56651c3dad2c12c7afce065fe15267f44 < 50facd86e9fbc4b93fe02e5fe05776047f45dbfbaffected
LinuxLinux5.9affected
LinuxLinux0 < 5.9unaffected
LinuxLinux5.10.101 <= 5.10.*unaffected
LinuxLinux5.15.24 <= 5.15.*unaffected
LinuxLinux5.16.10 <= 5.16.*unaffected
LinuxLinux5.17 <= *unaffected

Weaknesses

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References