In the Linux kernel, the following vulnerability has been resolved:
net: dsa: ar9331: register the mdiobus under devres
As explained in commits: 74b6d7d13307 ("net: dsa: realtek: register the MDIO bus under devres") 5135e96a3dd2 ("net: dsa: don't allocate the slavemiibus using devres")
mdiobusfree() will panic when called from devmmdiobusfree() <- devresreleaseall() <- _devicereleasedriver(), and that mdiobus was not previously unregistered.
The ar9331 is an MDIO device, so the initial set of constraints that I thought would cause this (I2C or SPI buses which call ->remove on ->shutdown) do not apply. But there is one more which applies here.
If the DSA master itself is on a bus that calls ->remove from ->shutdown (like dpaa2-eth, which is on the fsl-mc bus), there is a device link between the switch and the DSA master, and devicelinksunbind_consumers() will unbind the ar9331 switch driver on shutdown.
So the same treatment must be applied to all DSA switch drivers, which is: either use devres for both the mdiobus allocation and registration, or don't use devres at all.
The ar9331 driver doesn't have a complex code structure for mdiobus removal, so just replace ofmdiobusregister with the devres variant in order to be all-devres and ensure that we don't free a still-registered bus.
{ "vanir_signatures": [ { "digest": { "length": 204.0, "function_hash": "7231237077957827107151215927744140165" }, "id": "CVE-2022-48817-0132b746", "signature_version": "v1", "deprecated": false, "signature_type": "Function", "target": { "function": "ar9331_sw_remove", "file": "drivers/net/dsa/qca/ar9331.c" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@475ce5dcf2d88fd4f3c213a0ac944e3e40702970" }, { "digest": { "length": 580.0, "function_hash": "226240037260468495952872603763880223239" }, "id": "CVE-2022-48817-06f1778b", "signature_version": "v1", "deprecated": false, "signature_type": "Function", "target": { "function": "ar9331_sw_mbus_init", "file": "drivers/net/dsa/qca/ar9331.c" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@aae1c6a1d3d696fc33b609fb12fe744a556d1dc5" }, { "digest": { "length": 580.0, "function_hash": "226240037260468495952872603763880223239" }, "id": "CVE-2022-48817-20f0659b", "signature_version": "v1", "deprecated": false, "signature_type": "Function", "target": { "function": "ar9331_sw_mbus_init", "file": "drivers/net/dsa/qca/ar9331.c" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@475ce5dcf2d88fd4f3c213a0ac944e3e40702970" }, { "digest": { "line_hashes": [ "231367425530815438675887440976515825811", "70403573786930730520234647430218644250", "46589036113819385946703615198017756140", "169214330075990309672359967329087787884", "146665029218251157510983817798038865804", "56287902735845047959224707311076872884", "124061259227070548761827738987966707392", "163120402612153368584690670889513091829" ], "threshold": 0.9 }, "id": "CVE-2022-48817-26946d1c", "signature_version": "v1", "deprecated": false, "signature_type": "Line", "target": { "file": "drivers/net/dsa/qca/ar9331.c" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@aae1c6a1d3d696fc33b609fb12fe744a556d1dc5" }, { "digest": { "line_hashes": [ "231367425530815438675887440976515825811", "70403573786930730520234647430218644250", "46589036113819385946703615198017756140", "169214330075990309672359967329087787884", "146665029218251157510983817798038865804", "56287902735845047959224707311076872884", "124061259227070548761827738987966707392", "163120402612153368584690670889513091829" ], "threshold": 0.9 }, "id": "CVE-2022-48817-30028e19", "signature_version": "v1", "deprecated": false, "signature_type": "Line", "target": { "file": "drivers/net/dsa/qca/ar9331.c" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@50facd86e9fbc4b93fe02e5fe05776047f45dbfb" }, { "digest": { "length": 580.0, "function_hash": "226240037260468495952872603763880223239" }, "id": "CVE-2022-48817-527225c8", "signature_version": "v1", "deprecated": false, "signature_type": "Function", "target": { "function": "ar9331_sw_mbus_init", "file": "drivers/net/dsa/qca/ar9331.c" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f1842a8cb71de4d7eb75a86f76e88c7ee739218c" }, { "digest": { "length": 415.0, "function_hash": "312312815375432954020393021779453694875" }, "id": "CVE-2022-48817-5cfb6d60", "signature_version": "v1", "deprecated": false, "signature_type": "Function", "target": { "function": "ar9331_sw_remove", "file": "drivers/net/dsa/qca/ar9331.c" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@50facd86e9fbc4b93fe02e5fe05776047f45dbfb" }, { "digest": { "length": 415.0, "function_hash": "312312815375432954020393021779453694875" }, "id": "CVE-2022-48817-5fceb73b", "signature_version": "v1", "deprecated": false, "signature_type": "Function", "target": { "function": "ar9331_sw_remove", "file": "drivers/net/dsa/qca/ar9331.c" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f1842a8cb71de4d7eb75a86f76e88c7ee739218c" }, { "digest": { "line_hashes": [ "231367425530815438675887440976515825811", "70403573786930730520234647430218644250", "46589036113819385946703615198017756140", "169214330075990309672359967329087787884", "146665029218251157510983817798038865804", "56287902735845047959224707311076872884", "124061259227070548761827738987966707392", "163120402612153368584690670889513091829" ], "threshold": 0.9 }, "id": "CVE-2022-48817-6e8ee06a", "signature_version": "v1", "deprecated": false, "signature_type": "Line", "target": { "file": "drivers/net/dsa/qca/ar9331.c" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f1842a8cb71de4d7eb75a86f76e88c7ee739218c" }, { "digest": { "length": 580.0, "function_hash": "226240037260468495952872603763880223239" }, "id": "CVE-2022-48817-9109ab73", "signature_version": "v1", "deprecated": false, "signature_type": "Function", "target": { "function": "ar9331_sw_mbus_init", "file": "drivers/net/dsa/qca/ar9331.c" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@50facd86e9fbc4b93fe02e5fe05776047f45dbfb" }, { "digest": { "length": 415.0, "function_hash": "312312815375432954020393021779453694875" }, "id": "CVE-2022-48817-d93c231e", "signature_version": "v1", "deprecated": false, "signature_type": "Function", "target": { "function": "ar9331_sw_remove", "file": "drivers/net/dsa/qca/ar9331.c" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@aae1c6a1d3d696fc33b609fb12fe744a556d1dc5" }, { "digest": { "line_hashes": [ "231367425530815438675887440976515825811", "70403573786930730520234647430218644250", "46589036113819385946703615198017756140", "169214330075990309672359967329087787884", "41682798665848323502815982770592835477", "62060266260075733663226148395929647724", "124061259227070548761827738987966707392", "58496139071098231314338916449566501558" ], "threshold": 0.9 }, "id": "CVE-2022-48817-fb749e41", "signature_version": "v1", "deprecated": false, "signature_type": "Line", "target": { "file": "drivers/net/dsa/qca/ar9331.c" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@475ce5dcf2d88fd4f3c213a0ac944e3e40702970" } ] }