cve-2022-48818
Vulnerability from cvelistv5
Published
2024-07-16 11:44
Modified
2024-11-04 12:17
Severity ?
EPSS score ?
Summary
net: dsa: mv88e6xxx: don't use devres for mdiobus
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T15:25:01.623Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/8ccebe77df6e0d88c72ba5e69cf1835927e53b6c"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/8b626d45127d6f5ada7d815b83cfdc09e8cb1394"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/1b451c3994a2d322f8e55032c62c8b47b7d95900"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/f53a2ce893b2c7884ef94471f170839170a4eba0"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-48818",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T16:58:09.054337Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:34:12.506Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/dsa/mv88e6xxx/chip.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8ccebe77df6e",
"status": "affected",
"version": "ac3a68d56651",
"versionType": "git"
},
{
"lessThan": "8b626d45127d",
"status": "affected",
"version": "ac3a68d56651",
"versionType": "git"
},
{
"lessThan": "1b451c3994a2",
"status": "affected",
"version": "ac3a68d56651",
"versionType": "git"
},
{
"lessThan": "f53a2ce893b2",
"status": "affected",
"version": "ac3a68d56651",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/dsa/mv88e6xxx/chip.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.101",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: mv88e6xxx: don\u0027t use devres for mdiobus\n\nAs explained in commits:\n74b6d7d13307 (\"net: dsa: realtek: register the MDIO bus under devres\")\n5135e96a3dd2 (\"net: dsa: don\u0027t allocate the slave_mii_bus using devres\")\n\nmdiobus_free() will panic when called from devm_mdiobus_free() \u003c-\ndevres_release_all() \u003c- __device_release_driver(), and that mdiobus was\nnot previously unregistered.\n\nThe mv88e6xxx is an MDIO device, so the initial set of constraints that\nI thought would cause this (I2C or SPI buses which call -\u003eremove on\n-\u003eshutdown) do not apply. But there is one more which applies here.\n\nIf the DSA master itself is on a bus that calls -\u003eremove from -\u003eshutdown\n(like dpaa2-eth, which is on the fsl-mc bus), there is a device link\nbetween the switch and the DSA master, and device_links_unbind_consumers()\nwill unbind the Marvell switch driver on shutdown.\n\nsystemd-shutdown[1]: Powering off.\nmv88e6085 0x0000000008b96000:00 sw_gl0: Link is Down\nfsl-mc dpbp.9: Removing from iommu group 7\nfsl-mc dpbp.8: Removing from iommu group 7\n------------[ cut here ]------------\nkernel BUG at drivers/net/phy/mdio_bus.c:677!\nInternal error: Oops - BUG: 0 [#1] PREEMPT SMP\nModules linked in:\nCPU: 0 PID: 1 Comm: systemd-shutdow Not tainted 5.16.5-00040-gdc05f73788e5 #15\npc : mdiobus_free+0x44/0x50\nlr : devm_mdiobus_free+0x10/0x20\nCall trace:\n mdiobus_free+0x44/0x50\n devm_mdiobus_free+0x10/0x20\n devres_release_all+0xa0/0x100\n __device_release_driver+0x190/0x220\n device_release_driver_internal+0xac/0xb0\n device_links_unbind_consumers+0xd4/0x100\n __device_release_driver+0x4c/0x220\n device_release_driver_internal+0xac/0xb0\n device_links_unbind_consumers+0xd4/0x100\n __device_release_driver+0x94/0x220\n device_release_driver+0x28/0x40\n bus_remove_device+0x118/0x124\n device_del+0x174/0x420\n fsl_mc_device_remove+0x24/0x40\n __fsl_mc_device_remove+0xc/0x20\n device_for_each_child+0x58/0xa0\n dprc_remove+0x90/0xb0\n fsl_mc_driver_remove+0x20/0x5c\n __device_release_driver+0x21c/0x220\n device_release_driver+0x28/0x40\n bus_remove_device+0x118/0x124\n device_del+0x174/0x420\n fsl_mc_bus_remove+0x80/0x100\n fsl_mc_bus_shutdown+0xc/0x1c\n platform_shutdown+0x20/0x30\n device_shutdown+0x154/0x330\n kernel_power_off+0x34/0x6c\n __do_sys_reboot+0x15c/0x250\n __arm64_sys_reboot+0x20/0x30\n invoke_syscall.constprop.0+0x4c/0xe0\n do_el0_svc+0x4c/0x150\n el0_svc+0x24/0xb0\n el0t_64_sync_handler+0xa8/0xb0\n el0t_64_sync+0x178/0x17c\n\nSo the same treatment must be applied to all DSA switch drivers, which\nis: either use devres for both the mdiobus allocation and registration,\nor don\u0027t use devres at all.\n\nThe Marvell driver already has a good structure for mdiobus removal, so\njust plug in mdiobus_free and get rid of devres."
}
],
"providerMetadata": {
"dateUpdated": "2024-11-04T12:17:10.747Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8ccebe77df6e0d88c72ba5e69cf1835927e53b6c"
},
{
"url": "https://git.kernel.org/stable/c/8b626d45127d6f5ada7d815b83cfdc09e8cb1394"
},
{
"url": "https://git.kernel.org/stable/c/1b451c3994a2d322f8e55032c62c8b47b7d95900"
},
{
"url": "https://git.kernel.org/stable/c/f53a2ce893b2c7884ef94471f170839170a4eba0"
}
],
"title": "net: dsa: mv88e6xxx: don\u0027t use devres for mdiobus",
"x_generator": {
"engine": "bippy-9e1c9544281a"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-48818",
"datePublished": "2024-07-16T11:44:05.957Z",
"dateReserved": "2024-07-16T11:38:08.900Z",
"dateUpdated": "2024-11-04T12:17:10.747Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2022-48818\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-07-16T12:15:05.813\",\"lastModified\":\"2024-11-21T07:34:08.730\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: dsa: mv88e6xxx: don\u0027t use devres for mdiobus\\n\\nAs explained in commits:\\n74b6d7d13307 (\\\"net: dsa: realtek: register the MDIO bus under devres\\\")\\n5135e96a3dd2 (\\\"net: dsa: don\u0027t allocate the slave_mii_bus using devres\\\")\\n\\nmdiobus_free() will panic when called from devm_mdiobus_free() \u003c-\\ndevres_release_all() \u003c- __device_release_driver(), and that mdiobus was\\nnot previously unregistered.\\n\\nThe mv88e6xxx is an MDIO device, so the initial set of constraints that\\nI thought would cause this (I2C or SPI buses which call -\u003eremove on\\n-\u003eshutdown) do not apply. But there is one more which applies here.\\n\\nIf the DSA master itself is on a bus that calls -\u003eremove from -\u003eshutdown\\n(like dpaa2-eth, which is on the fsl-mc bus), there is a device link\\nbetween the switch and the DSA master, and device_links_unbind_consumers()\\nwill unbind the Marvell switch driver on shutdown.\\n\\nsystemd-shutdown[1]: Powering off.\\nmv88e6085 0x0000000008b96000:00 sw_gl0: Link is Down\\nfsl-mc dpbp.9: Removing from iommu group 7\\nfsl-mc dpbp.8: Removing from iommu group 7\\n------------[ cut here ]------------\\nkernel BUG at drivers/net/phy/mdio_bus.c:677!\\nInternal error: Oops - BUG: 0 [#1] PREEMPT SMP\\nModules linked in:\\nCPU: 0 PID: 1 Comm: systemd-shutdow Not tainted 5.16.5-00040-gdc05f73788e5 #15\\npc : mdiobus_free+0x44/0x50\\nlr : devm_mdiobus_free+0x10/0x20\\nCall trace:\\n mdiobus_free+0x44/0x50\\n devm_mdiobus_free+0x10/0x20\\n devres_release_all+0xa0/0x100\\n __device_release_driver+0x190/0x220\\n device_release_driver_internal+0xac/0xb0\\n device_links_unbind_consumers+0xd4/0x100\\n __device_release_driver+0x4c/0x220\\n device_release_driver_internal+0xac/0xb0\\n device_links_unbind_consumers+0xd4/0x100\\n __device_release_driver+0x94/0x220\\n device_release_driver+0x28/0x40\\n bus_remove_device+0x118/0x124\\n device_del+0x174/0x420\\n fsl_mc_device_remove+0x24/0x40\\n __fsl_mc_device_remove+0xc/0x20\\n device_for_each_child+0x58/0xa0\\n dprc_remove+0x90/0xb0\\n fsl_mc_driver_remove+0x20/0x5c\\n __device_release_driver+0x21c/0x220\\n device_release_driver+0x28/0x40\\n bus_remove_device+0x118/0x124\\n device_del+0x174/0x420\\n fsl_mc_bus_remove+0x80/0x100\\n fsl_mc_bus_shutdown+0xc/0x1c\\n platform_shutdown+0x20/0x30\\n device_shutdown+0x154/0x330\\n kernel_power_off+0x34/0x6c\\n __do_sys_reboot+0x15c/0x250\\n __arm64_sys_reboot+0x20/0x30\\n invoke_syscall.constprop.0+0x4c/0xe0\\n do_el0_svc+0x4c/0x150\\n el0_svc+0x24/0xb0\\n el0t_64_sync_handler+0xa8/0xb0\\n el0t_64_sync+0x178/0x17c\\n\\nSo the same treatment must be applied to all DSA switch drivers, which\\nis: either use devres for both the mdiobus allocation and registration,\\nor don\u0027t use devres at all.\\n\\nThe Marvell driver already has a good structure for mdiobus removal, so\\njust plug in mdiobus_free and get rid of devres.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: dsa: mv88e6xxx: no use devres para mdiobus Como se explica en los commits: 74b6d7d13307 (\\\"net: dsa: realtek: registre el bus MDIO en devres\\\") 5135e96a3dd2 (\\\" net: dsa: no asigne el esclavo_mii_bus usando devres\\\") mdiobus_free() entrar\u00e1 en p\u00e1nico cuando se llame desde devm_mdiobus_free() \u0026lt;- devres_release_all() \u0026lt;- __device_release_driver(), y ese mdiobus no fue anulado previamente. El mv88e6xxx es un dispositivo MDIO, por lo que el conjunto inicial de restricciones que pens\u00e9 que causar\u00eda esto (buses I2C o SPI que llaman -\u0026gt;eliminar en -\u0026gt;apagar) no se aplican. Pero hay algo m\u00e1s que se aplica aqu\u00ed. Si el maestro DSA est\u00e1 en un bus que llama -\u0026gt;remove from -\u0026gt;shutdown (como dpaa2-eth, que est\u00e1 en el bus fsl-mc), hay un enlace de dispositivo entre el conmutador y el maestro DSA, y device_links_unbind_consumers( ) desvincular\u00e1 el controlador del interruptor Marvell al apagarlo. systemd-shutdown[1]: Apagando. mv88e6085 0x0000000008b96000:00 sw_gl0: El enlace est\u00e1 inactivo fsl-mc dpbp.9: Eliminando del grupo iommu 7 fsl-mc dpbp.8: Eliminando del grupo iommu 7 ------------[ cortar aqu\u00ed ]- ----------- \u00a1ERROR del kernel en drivers/net/phy/mdio_bus.c:677! Error interno: Ups - ERROR: 0 [#1] PREEMPT M\u00f3dulos SMP vinculados en: CPU: 0 PID: 1 Comm: systemd-shutdow Not tainted 5.16.5-00040-gdc05f73788e5 #15 pc: mdiobus_free+0x44/0x50 lr: devm_mdiobus_free +0x10/0x20 Rastreo de llamadas: mdiobus_free+0x44/0x50 devm_mdiobus_free+0x10/0x20 devres_release_all+0xa0/0x100 __device_release_driver+0x190/0x220 device_release_driver_internal+0xac/0xb0 device_links_unbind_consumers+0xd4/0x 100 __device_release_driver+0x4c/0x220 dispositivo_release_driver_internal+0xac/0xb0 device_links_unbind_consumers+0xd4 /0x100 __device_release_driver+0x94/0x220 dispositivo_release_driver+0x28/0x40 bus_remove_device+0x118/0x124 device_del+0x174/0x420 fsl_mc_device_remove+0x24/0x40 __fsl_mc_device_remove+0xc/0x20 _for_each_child+0x58/0xa0 dprc_remove+0x90/0xb0 fsl_mc_driver_remove+0x20/0x5c __device_release_driver+0x21c /0x220 dispositivo_liberaci\u00f3n_controlador+0x28/0x40 bus_remove_device+0x118/0x124 dispositivo_del+0x174/0x420 fsl_mc_bus_remove+0x80/0x100 fsl_mc_bus_shutdown+0xc/0x1c plataforma_apagado+0x20/0x30 54/0x330 kernel_power_off+0x34/0x6c __do_sys_reboot+0x15c/0x250 __arm64_sys_reboot+0x20 /0x30 invoke_syscall.constprop.0+0x4c/0xe0 do_el0_svc+0x4c/0x150 el0_svc+0x24/0xb0 el0t_64_sync_handler+0xa8/0xb0 el0t_64_sync+0x178/0x17c Por lo tanto, se debe aplicar el mismo tratamiento a todos los controladores de conmutador DSA, que es: usar devres tanto para la asignaci\u00f3n como para el registro de mdiobus, o no utilice devres en absoluto. El controlador Marvell ya tiene una buena estructura para la eliminaci\u00f3n de mdiobus, as\u00ed que simplemente conecte mdiobus_free y elimine los devres.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/1b451c3994a2d322f8e55032c62c8b47b7d95900\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/8b626d45127d6f5ada7d815b83cfdc09e8cb1394\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/8ccebe77df6e0d88c72ba5e69cf1835927e53b6c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f53a2ce893b2c7884ef94471f170839170a4eba0\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/1b451c3994a2d322f8e55032c62c8b47b7d95900\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/8b626d45127d6f5ada7d815b83cfdc09e8cb1394\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/8ccebe77df6e0d88c72ba5e69cf1835927e53b6c\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/f53a2ce893b2c7884ef94471f170839170a4eba0\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.