Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: net: dsa: seville: register the mdiobus under devres As explained in commits: 74b6d7d13307 ("net: dsa: realtek: register the MDIO bus under devres") 5135e96a3dd2 ("net: dsa: don't allocate the slave_mii_bus using devres") mdiobus_free() will panic when called from devm_mdiobus_free() <- devres_release_all() <- __device_release_driver(), and that mdiobus was not previously unregistered. The Seville VSC9959 switch is a platform device, so the initial set of constraints that I thought would cause this (I2C or SPI buses which call ->remove on ->shutdown) do not apply. But there is one more which applies here. If the DSA master itself is on a bus that calls ->remove from ->shutdown (like dpaa2-eth, which is on the fsl-mc bus), there is a device link between the switch and the DSA master, and device_links_unbind_consumers() will unbind the seville switch driver on shutdown. So the same treatment must be applied to all DSA switch drivers, which is: either use devres for both the mdiobus allocation and registration, or don't use devres at all. The seville driver has a code structure that could accommodate both the mdiobus_unregister and mdiobus_free calls, but it has an external dependency upon mscc_miim_setup() from mdio-mscc-miim.c, which calls devm_mdiobus_alloc_size() on its behalf. So rather than restructuring that, and exporting yet one more symbol mscc_miim_teardown(), let's work with devres and replace of_mdiobus_register with the devres variant. When we use all-devres, we can ensure that devres doesn't free a still-registered bus (it either runs both callbacks, or none).
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Linux | Linux Kernel | >= 5.9, < 5.15.27 |
References
- https://git.kernel.org/stable/c/0e816362d823cd46c666e64d8bffe329ee22f4ccPatch
- https://git.kernel.org/stable/c/1d13e7221035947c62800c9d3d99b4ed570e27e7Patch
- https://git.kernel.org/stable/c/bd488afc3b39e045ba71aab472233f2a78726e7bPatch
- https://git.kernel.org/stable/c/0e816362d823cd46c666e64d8bffe329ee22f4ccPatch
- https://git.kernel.org/stable/c/1d13e7221035947c62800c9d3d99b4ed570e27e7Patch
- https://git.kernel.org/stable/c/bd488afc3b39e045ba71aab472233f2a78726e7bPatch
FAQ
What is CVE-2022-48814?
CVE-2022-48814 is a vulnerability with a CVSS score of 5.5 (MEDIUM). In the Linux kernel, the following vulnerability has been resolved: net: dsa: seville: register the mdiobus under devres As explained in commits: 74b6d7d13307 ("net: dsa: realtek: register the MDIO ...
How severe is CVE-2022-48814?
CVE-2022-48814 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-48814?
Check the references section above for vendor advisories and patch information. Affected products include: Linux Linux Kernel.