CVE-2022-48814
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-48814
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-48814.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2022-48814
- Downstream
- Related
- Published
- 2024-07-16T11:44:03Z
- Modified
- 2025-10-14T20:12:22.330999Z
- Summary
- net: dsa: seville: register the mdiobus under devres
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
net: dsa: seville: register the mdiobus under devres
As explained in commits: 74b6d7d13307 ("net: dsa: realtek: register the MDIO bus under devres") 5135e96a3dd2 ("net: dsa: don't allocate the slavemiibus using devres")
mdiobusfree() will panic when called from devmmdiobusfree() <- devresreleaseall() <- _devicereleasedriver(), and that mdiobus was not previously unregistered.
The Seville VSC9959 switch is a platform device, so the initial set of constraints that I thought would cause this (I2C or SPI buses which call ->remove on ->shutdown) do not apply. But there is one more which applies here.
If the DSA master itself is on a bus that calls ->remove from ->shutdown (like dpaa2-eth, which is on the fsl-mc bus), there is a device link between the switch and the DSA master, and devicelinksunbind_consumers() will unbind the seville switch driver on shutdown.
So the same treatment must be applied to all DSA switch drivers, which is: either use devres for both the mdiobus allocation and registration, or don't use devres at all.
The seville driver has a code structure that could accommodate both the mdiobusunregister and mdiobusfree calls, but it has an external dependency upon msccmiimsetup() from mdio-mscc-miim.c, which calls devmmdiobusallocsize() on its behalf. So rather than restructuring that, and exporting yet one more symbol msccmiimteardown(), let's work with devres and replace ofmdiobus_register with the devres variant. When we use all-devres, we can ensure that devres doesn't free a still-registered bus (it either runs both callbacks, or none).
- References
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedac3a68d56651c3dad2c12c7afce065fe15267f44Fixed1d13e7221035947c62800c9d3d99b4ed570e27e7
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedac3a68d56651c3dad2c12c7afce065fe15267f44Fixed0e816362d823cd46c666e64d8bffe329ee22f4cc
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedac3a68d56651c3dad2c12c7afce065fe15267f44Fixedbd488afc3b39e045ba71aab472233f2a78726e7b
Affected versions
v5.*
Database specific
{
"vanir_signatures": [
{
"id": "CVE-2022-48814-0492d243",
"signature_type": "Function",
"target": {
"file": "drivers/net/dsa/ocelot/seville_vsc9953.c",
"function": "vsc9953_mdio_bus_free"
},
"deprecated": false,
"digest": {
"length": 315.0,
"function_hash": "259792548493762981691991285200741464942"
},
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bd488afc3b39e045ba71aab472233f2a78726e7b"
},
{
"id": "CVE-2022-48814-0a00377d",
"signature_type": "Line",
"target": {
"file": "drivers/net/dsa/ocelot/seville_vsc9953.c"
},
"deprecated": false,
"digest": {
"line_hashes": [
"77642642214210409705101627564761243461",
"74354774919297397682409224949031548597",
"195750149901502186458403304551123665803",
"27141492480661959040060331253506773241",
"140534006092241315612987310219424171370",
"111257975833545229593827339262285205822",
"80948991043095986844925828303905512957",
"147834672082864154539719518324665509669"
],
"threshold": 0.9
},
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1d13e7221035947c62800c9d3d99b4ed570e27e7"
},
{
"id": "CVE-2022-48814-177ed5d8",
"signature_type": "Function",
"target": {
"file": "drivers/net/dsa/ocelot/seville_vsc9953.c",
"function": "vsc9953_mdio_bus_alloc"
},
"deprecated": false,
"digest": {
"length": 1224.0,
"function_hash": "274512319417588157591447773410321375664"
},
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bd488afc3b39e045ba71aab472233f2a78726e7b"
},
{
"id": "CVE-2022-48814-52335d14",
"signature_type": "Line",
"target": {
"file": "drivers/net/dsa/ocelot/seville_vsc9953.c"
},
"deprecated": false,
"digest": {
"line_hashes": [
"59001319304816054099902187454917869893",
"149102352603798254756837791018163812555",
"159220299796103731524005503318742432958",
"27141492480661959040060331253506773241",
"173158703474322103532514367156789795148",
"250849225691121184099837799520065597356",
"80948991043095986844925828303905512957",
"147834672082864154539719518324665509669"
],
"threshold": 0.9
},
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bd488afc3b39e045ba71aab472233f2a78726e7b"
},
{
"id": "CVE-2022-48814-6485bae5",
"signature_type": "Function",
"target": {
"file": "drivers/net/dsa/ocelot/seville_vsc9953.c",
"function": "vsc9953_mdio_bus_free"
},
"deprecated": false,
"digest": {
"length": 284.0,
"function_hash": "36664596050076886443086874849228940813"
},
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1d13e7221035947c62800c9d3d99b4ed570e27e7"
},
{
"id": "CVE-2022-48814-8735b40f",
"signature_type": "Function",
"target": {
"file": "drivers/net/dsa/ocelot/seville_vsc9953.c",
"function": "vsc9953_mdio_bus_alloc"
},
"deprecated": false,
"digest": {
"length": 1287.0,
"function_hash": "207607989796727339523956592860920530592"
},
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1d13e7221035947c62800c9d3d99b4ed570e27e7"
}
]
}