CVE-2022-48814

As explained in commits: 74b6d7d13307 ("net: dsa: realtek: register the MDIO bus under devres") 5135e96a3dd2 ("net: dsa: don't allocate the slavemiibus using devres")

mdiobusfree() will panic when called from devmmdiobusfree() <- devresreleaseall() <- _devicereleasedriver(), and that mdiobus was not previously unregistered.

The Seville VSC9959 switch is a platform device, so the initial set of constraints that I thought would cause this (I2C or SPI buses which call ->remove on ->shutdown) do not apply. But there is one more which applies here.

If the DSA master itself is on a bus that calls ->remove from ->shutdown (like dpaa2-eth, which is on the fsl-mc bus), there is a device link between the switch and the DSA master, and devicelinksunbind_consumers() will unbind the seville switch driver on shutdown.

So the same treatment must be applied to all DSA switch drivers, which is: either use devres for both the mdiobus allocation and registration, or don't use devres at all.

The seville driver has a code structure that could accommodate both the mdiobusunregister and mdiobusfree calls, but it has an external dependency upon msccmiimsetup() from mdio-mscc-miim.c, which calls devmmdiobusallocsize() on its behalf. So rather than restructuring that, and exporting yet one more symbol msccmiimteardown(), let's work with devres and replace ofmdiobus_register with the devres variant. When we use all-devres, we can ensure that devres doesn't free a still-registered bus (it either runs both callbacks, or none).

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

ac3a68d56651c3dad2c12c7afce065fe15267f44

Fixed

1d13e7221035947c62800c9d3d99b4ed570e27e7

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

ac3a68d56651c3dad2c12c7afce065fe15267f44

Fixed

0e816362d823cd46c666e64d8bffe329ee22f4cc

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

ac3a68d56651c3dad2c12c7afce065fe15267f44

Fixed

bd488afc3b39e045ba71aab472233f2a78726e7b

Affected versions

v5.*

v5.10

v5.10-rc1

v5.10-rc2

v5.10-rc3

v5.10-rc4

v5.10-rc5

v5.10-rc6

v5.10-rc7

v5.11

v5.11-rc1

v5.11-rc2

v5.11-rc3

v5.11-rc4

v5.11-rc5

v5.11-rc6

v5.11-rc7

v5.12

v5.12-rc1

v5.12-rc1-dontuse

v5.12-rc2

v5.12-rc3

v5.12-rc4

v5.12-rc5

v5.12-rc6

v5.12-rc7

v5.12-rc8

v5.13

v5.13-rc1

v5.13-rc2

v5.13-rc3

v5.13-rc4

v5.13-rc5

v5.13-rc6

v5.13-rc7

v5.14

v5.14-rc1

v5.14-rc2

v5.14-rc3

v5.14-rc4

v5.14-rc5

v5.14-rc6

v5.14-rc7

v5.15

v5.15-rc1

v5.15-rc2

v5.15-rc3

v5.15-rc4

v5.15-rc5

v5.15-rc6

v5.15-rc7

v5.15.1

v5.15.10

v5.15.11

v5.15.12

v5.15.13

v5.15.14

v5.15.15

v5.15.16

v5.15.17

v5.15.18

v5.15.19

v5.15.2

v5.15.20

v5.15.21

v5.15.22

v5.15.23

v5.15.24

v5.15.25

v5.15.26

v5.15.3

v5.15.4

v5.15.5

v5.15.6

v5.15.7

v5.15.8

v5.15.9

v5.16

v5.16-rc1

v5.16-rc2

v5.16-rc3

v5.16-rc4

v5.16-rc5

v5.16-rc6

v5.16-rc7

v5.16-rc8

v5.16.1

v5.16.2

v5.16.3

v5.16.4

v5.16.5

v5.16.6

v5.16.7

v5.16.8

v5.16.9

v5.17-rc1

v5.17-rc2

v5.8

v5.8-rc3

v5.8-rc4

v5.8-rc5

v5.8-rc6

v5.8-rc7

v5.9

v5.9-rc1

v5.9-rc2

v5.9-rc3

v5.9-rc4

v5.9-rc5

v5.9-rc6

v5.9-rc7

v5.9-rc8

Database specific

vanir_signatures

[
    {
        "signature_type": "Function",
        "digest": {
            "function_hash": "259792548493762981691991285200741464942",
            "length": 315.0
        },
        "target": {
            "file": "drivers/net/dsa/ocelot/seville_vsc9953.c",
            "function": "vsc9953_mdio_bus_free"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bd488afc3b39e045ba71aab472233f2a78726e7b",
        "id": "CVE-2022-48814-0492d243",
        "deprecated": false,
        "signature_version": "v1"
    },
    {
        "signature_type": "Line",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "77642642214210409705101627564761243461",
                "74354774919297397682409224949031548597",
                "195750149901502186458403304551123665803",
                "27141492480661959040060331253506773241",
                "140534006092241315612987310219424171370",
                "111257975833545229593827339262285205822",
                "80948991043095986844925828303905512957",
                "147834672082864154539719518324665509669"
            ]
        },
        "target": {
            "file": "drivers/net/dsa/ocelot/seville_vsc9953.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1d13e7221035947c62800c9d3d99b4ed570e27e7",
        "id": "CVE-2022-48814-0a00377d",
        "deprecated": false,
        "signature_version": "v1"
    },
    {
        "signature_type": "Function",
        "digest": {
            "function_hash": "274512319417588157591447773410321375664",
            "length": 1224.0
        },
        "target": {
            "file": "drivers/net/dsa/ocelot/seville_vsc9953.c",
            "function": "vsc9953_mdio_bus_alloc"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bd488afc3b39e045ba71aab472233f2a78726e7b",
        "id": "CVE-2022-48814-177ed5d8",
        "deprecated": false,
        "signature_version": "v1"
    },
    {
        "signature_type": "Function",
        "digest": {
            "function_hash": "207607989796727339523956592860920530592",
            "length": 1287.0
        },
        "target": {
            "file": "drivers/net/dsa/ocelot/seville_vsc9953.c",
            "function": "vsc9953_mdio_bus_alloc"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0e816362d823cd46c666e64d8bffe329ee22f4cc",
        "id": "CVE-2022-48814-3c422b0c",
        "deprecated": false,
        "signature_version": "v1"
    },
    {
        "signature_type": "Line",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "59001319304816054099902187454917869893",
                "149102352603798254756837791018163812555",
                "159220299796103731524005503318742432958",
                "27141492480661959040060331253506773241",
                "173158703474322103532514367156789795148",
                "250849225691121184099837799520065597356",
                "80948991043095986844925828303905512957",
                "147834672082864154539719518324665509669"
            ]
        },
        "target": {
            "file": "drivers/net/dsa/ocelot/seville_vsc9953.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bd488afc3b39e045ba71aab472233f2a78726e7b",
        "id": "CVE-2022-48814-52335d14",
        "deprecated": false,
        "signature_version": "v1"
    },
    {
        "signature_type": "Line",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "77642642214210409705101627564761243461",
                "74354774919297397682409224949031548597",
                "195750149901502186458403304551123665803",
                "27141492480661959040060331253506773241",
                "140534006092241315612987310219424171370",
                "111257975833545229593827339262285205822",
                "80948991043095986844925828303905512957",
                "147834672082864154539719518324665509669"
            ]
        },
        "target": {
            "file": "drivers/net/dsa/ocelot/seville_vsc9953.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0e816362d823cd46c666e64d8bffe329ee22f4cc",
        "id": "CVE-2022-48814-5e2b8a56",
        "deprecated": false,
        "signature_version": "v1"
    },
    {
        "signature_type": "Function",
        "digest": {
            "function_hash": "36664596050076886443086874849228940813",
            "length": 284.0
        },
        "target": {
            "file": "drivers/net/dsa/ocelot/seville_vsc9953.c",
            "function": "vsc9953_mdio_bus_free"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1d13e7221035947c62800c9d3d99b4ed570e27e7",
        "id": "CVE-2022-48814-6485bae5",
        "deprecated": false,
        "signature_version": "v1"
    },
    {
        "signature_type": "Function",
        "digest": {
            "function_hash": "207607989796727339523956592860920530592",
            "length": 1287.0
        },
        "target": {
            "file": "drivers/net/dsa/ocelot/seville_vsc9953.c",
            "function": "vsc9953_mdio_bus_alloc"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1d13e7221035947c62800c9d3d99b4ed570e27e7",
        "id": "CVE-2022-48814-8735b40f",
        "deprecated": false,
        "signature_version": "v1"
    },
    {
        "signature_type": "Function",
        "digest": {
            "function_hash": "36664596050076886443086874849228940813",
            "length": 284.0
        },
        "target": {
            "file": "drivers/net/dsa/ocelot/seville_vsc9953.c",
            "function": "vsc9953_mdio_bus_free"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0e816362d823cd46c666e64d8bffe329ee22f4cc",
        "id": "CVE-2022-48814-f46608b4",
        "deprecated": false,
        "signature_version": "v1"
    }
]

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.9.0

Fixed

5.15.27

Type: ECOSYSTEM
Events: Introduced

5.16.0

Fixed

5.16.10