CVE-2022-48818

As explained in commits: 74b6d7d13307 ("net: dsa: realtek: register the MDIO bus under devres") 5135e96a3dd2 ("net: dsa: don't allocate the slavemiibus using devres")

mdiobusfree() will panic when called from devmmdiobusfree() <- devresreleaseall() <- _devicereleasedriver(), and that mdiobus was not previously unregistered.

The mv88e6xxx is an MDIO device, so the initial set of constraints that I thought would cause this (I2C or SPI buses which call ->remove on ->shutdown) do not apply. But there is one more which applies here.

If the DSA master itself is on a bus that calls ->remove from ->shutdown (like dpaa2-eth, which is on the fsl-mc bus), there is a device link between the switch and the DSA master, and devicelinksunbind_consumers() will unbind the Marvell switch driver on shutdown.

systemd-shutdown[1]: Powering off. mv88e6085 0x0000000008b96000:00 swgl0: Link is Down fsl-mc dpbp.9: Removing from iommu group 7 fsl-mc dpbp.8: Removing from iommu group 7 ------------[ cut here ]------------ kernel BUG at drivers/net/phy/mdiobus.c:677! Internal error: Oops - BUG: 0 [#1] PREEMPT SMP Modules linked in: CPU: 0 PID: 1 Comm: systemd-shutdow Not tainted 5.16.5-00040-gdc05f73788e5 #15 pc : mdiobusfree+0x44/0x50 lr : devmmdiobusfree+0x10/0x20 Call trace: mdiobusfree+0x44/0x50 devmmdiobusfree+0x10/0x20 devresreleaseall+0xa0/0x100 _devicereleasedriver+0x190/0x220 devicereleasedriverinternal+0xac/0xb0 devicelinksunbindconsumers+0xd4/0x100 _devicereleasedriver+0x4c/0x220 devicereleasedriverinternal+0xac/0xb0 devicelinksunbindconsumers+0xd4/0x100 _devicereleasedriver+0x94/0x220 devicereleasedriver+0x28/0x40 busremovedevice+0x118/0x124 devicedel+0x174/0x420 fslmcdeviceremove+0x24/0x40 _fslmcdeviceremove+0xc/0x20 deviceforeachchild+0x58/0xa0 dprcremove+0x90/0xb0 fslmcdriverremove+0x20/0x5c _devicereleasedriver+0x21c/0x220 devicereleasedriver+0x28/0x40 busremovedevice+0x118/0x124 devicedel+0x174/0x420 fslmcbusremove+0x80/0x100 fslmcbusshutdown+0xc/0x1c platformshutdown+0x20/0x30 deviceshutdown+0x154/0x330 kernelpoweroff+0x34/0x6c _dosysreboot+0x15c/0x250 _arm64sysreboot+0x20/0x30 invokesyscall.constprop.0+0x4c/0xe0 doel0svc+0x4c/0x150 el0svc+0x24/0xb0 el0t64synchandler+0xa8/0xb0 el0t64_sync+0x178/0x17c

So the same treatment must be applied to all DSA switch drivers, which is: either use devres for both the mdiobus allocation and registration, or don't use devres at all.

The Marvell driver already has a good structure for mdiobus removal, so just plug in mdiobus_free and get rid of devres.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

ac3a68d56651c3dad2c12c7afce065fe15267f44

Fixed

8ccebe77df6e0d88c72ba5e69cf1835927e53b6c

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

ac3a68d56651c3dad2c12c7afce065fe15267f44

Fixed

8b626d45127d6f5ada7d815b83cfdc09e8cb1394

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

ac3a68d56651c3dad2c12c7afce065fe15267f44

Fixed

1b451c3994a2d322f8e55032c62c8b47b7d95900

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

ac3a68d56651c3dad2c12c7afce065fe15267f44

Fixed

f53a2ce893b2c7884ef94471f170839170a4eba0

Affected versions

v5.*

v5.10

v5.10-rc1

v5.10-rc2

v5.10-rc3

v5.10-rc4

v5.10-rc5

v5.10-rc6

v5.10-rc7

v5.10.1

v5.10.10

v5.10.100

v5.10.11

v5.10.12

v5.10.13

v5.10.14

v5.10.15

v5.10.16

v5.10.17

v5.10.18

v5.10.19

v5.10.2

v5.10.20

v5.10.21

v5.10.22

v5.10.23

v5.10.24

v5.10.25

v5.10.26

v5.10.27

v5.10.28

v5.10.29

v5.10.3

v5.10.30

v5.10.31

v5.10.32

v5.10.33

v5.10.34

v5.10.35

v5.10.36

v5.10.37

v5.10.38

v5.10.39

v5.10.4

v5.10.40

v5.10.41

v5.10.42

v5.10.43

v5.10.44

v5.10.45

v5.10.46

v5.10.47

v5.10.48

v5.10.49

v5.10.5

v5.10.50

v5.10.51

v5.10.52

v5.10.53

v5.10.54

v5.10.55

v5.10.56

v5.10.57

v5.10.58

v5.10.59

v5.10.6

v5.10.60

v5.10.61

v5.10.62

v5.10.63

v5.10.64

v5.10.65

v5.10.66

v5.10.67

v5.10.68

v5.10.69

v5.10.7

v5.10.70

v5.10.71

v5.10.72

v5.10.73

v5.10.74

v5.10.75

v5.10.76

v5.10.77

v5.10.78

v5.10.79

v5.10.8

v5.10.80

v5.10.81

v5.10.82

v5.10.83

v5.10.84

v5.10.85

v5.10.86

v5.10.87

v5.10.88

v5.10.89

v5.10.9

v5.10.90

v5.10.91

v5.10.92

v5.10.93

v5.10.94

v5.10.95

v5.10.96

v5.10.97

v5.10.98

v5.10.99

v5.11

v5.11-rc1

v5.11-rc2

v5.11-rc3

v5.11-rc4

v5.11-rc5

v5.11-rc6

v5.11-rc7

v5.12

v5.12-rc1

v5.12-rc1-dontuse

v5.12-rc2

v5.12-rc3

v5.12-rc4

v5.12-rc5

v5.12-rc6

v5.12-rc7

v5.12-rc8

v5.13

v5.13-rc1

v5.13-rc2

v5.13-rc3

v5.13-rc4

v5.13-rc5

v5.13-rc6

v5.13-rc7

v5.14

v5.14-rc1

v5.14-rc2

v5.14-rc3

v5.14-rc4

v5.14-rc5

v5.14-rc6

v5.14-rc7

v5.15

v5.15-rc1

v5.15-rc2

v5.15-rc3

v5.15-rc4

v5.15-rc5

v5.15-rc6

v5.15-rc7

v5.15.1

v5.15.10

v5.15.11

v5.15.12

v5.15.13

v5.15.14

v5.15.15

v5.15.16

v5.15.17

v5.15.18

v5.15.19

v5.15.2

v5.15.20

v5.15.21

v5.15.22

v5.15.23

v5.15.3

v5.15.4

v5.15.5

v5.15.6

v5.15.7

v5.15.8

v5.15.9

v5.16

v5.16-rc1

v5.16-rc2

v5.16-rc3

v5.16-rc4

v5.16-rc5

v5.16-rc6

v5.16-rc7

v5.16-rc8

v5.16.1

v5.16.2

v5.16.3

v5.16.4

v5.16.5

v5.16.6

v5.16.7

v5.16.8

v5.16.9

v5.17-rc1

v5.17-rc2

v5.8

v5.8-rc3

v5.8-rc4

v5.8-rc5

v5.8-rc6

v5.8-rc7

v5.9

v5.9-rc1

v5.9-rc2

v5.9-rc3

v5.9-rc4

v5.9-rc5

v5.9-rc6

v5.9-rc7

v5.9-rc8

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.9.0

Fixed

5.10.101

Type: ECOSYSTEM
Events: Introduced

5.11.0

Fixed

5.15.24

Type: ECOSYSTEM
Events: Introduced

5.16.0

Fixed

5.16.10