CVE-2022-48808

In the Linux kernel, the following vulnerability has been resolved:

net: dsa: fix panic when DSA master device unbinds on shutdown

Rafael reports that on a system with LX2160A and Marvell DSA switches, if a reboot occurs while the DSA master (dpaa2-eth) is up, the following panic can be seen:

systemd-shutdown[1]: Rebooting. Unable to handle kernel paging request at virtual address 00a0000800000041 [00a0000800000041] address between user and kernel address ranges Internal error: Oops: 96000004 [#1] PREEMPT SMP CPU: 6 PID: 1 Comm: systemd-shutdow Not tainted 5.16.5-00042-g8f5585009b24 #32 pc : dsaslavenetdeviceevent+0x130/0x3e4 lr : rawnotifiercallchain+0x50/0x6c Call trace: dsaslavenetdeviceevent+0x130/0x3e4 rawnotifiercallchain+0x50/0x6c callnetdevicenotifiersinfo+0x54/0xa0 _devclosemany+0x50/0x130 devclosemany+0x84/0x120 unregisternetdevicemany+0x130/0x710 unregisternetdevicequeue+0x8c/0xd0 unregisternetdev+0x20/0x30 dpaa2ethremove+0x68/0x190 fslmcdriverremove+0x20/0x5c _devicereleasedriver+0x21c/0x220 devicereleasedriverinternal+0xac/0xb0 devicelinksunbindconsumers+0xd4/0x100 _devicereleasedriver+0x94/0x220 devicereleasedriver+0x28/0x40 busremovedevice+0x118/0x124 devicedel+0x174/0x420 fslmcdeviceremove+0x24/0x40 _fslmcdeviceremove+0xc/0x20 deviceforeachchild+0x58/0xa0 dprcremove+0x90/0xb0 fslmcdriverremove+0x20/0x5c _devicereleasedriver+0x21c/0x220 devicereleasedriver+0x28/0x40 busremovedevice+0x118/0x124 devicedel+0x174/0x420 fslmcbusremove+0x80/0x100 fslmcbusshutdown+0xc/0x1c platformshutdown+0x20/0x30 deviceshutdown+0x154/0x330 _dosysreboot+0x1cc/0x250 _arm64sysreboot+0x20/0x30 invokesyscall.constprop.0+0x4c/0xe0 doel0svc+0x4c/0x150 el0svc+0x24/0xb0 el0t64synchandler+0xa8/0xb0 el0t64sync+0x178/0x17c

It can be seen from the stack trace that the problem is that the deregistration of the master causes a devclose(), which gets notified as NETDEVGOINGDOWN to dsaslavenetdeviceevent(). But dsaswitchshutdown() has already run, and this has unregistered the DSA slave interfaces, and yet, the NETDEVGOINGDOWN handler attempts to call devclosemany() on those slave interfaces, leading to the problem.

The previous attempt to avoid the NETDEVGOINGDOWN on the master after dsaswitchshutdown() was called seems improper. Unregistering the slave interfaces is unnecessary and unhelpful. Instead, after the slaves have stopped being uppers of the DSA master, we can now reset to NULL the master->dsa_ptr pointer, which will make DSA start ignoring all future notifier events on the master.