CVE-2022-48813 in Linux
Summary
by MITRE • 07/16/2024
In the Linux kernel, the following vulnerability has been resolved:
net: dsa: felix: don't use devres for mdiobus
As explained in commits: 74b6d7d13307 ("net: dsa: realtek: register the MDIO bus under devres") 5135e96a3dd2 ("net: dsa: don't allocate the slave_mii_bus using devres")
mdiobus_free() will panic when called from devm_mdiobus_free() <- devres_release_all() <- __device_release_driver(), and that mdiobus was not previously unregistered.
The Felix VSC9959 switch is a PCI device, so the initial set of constraints that I thought would cause this (I2C or SPI buses which call ->remove on ->shutdown) do not apply. But there is one more which applies here.
If the DSA master itself is on a bus that calls ->remove from ->shutdown (like dpaa2-eth, which is on the fsl-mc bus), there is a device link between the switch and the DSA master, and device_links_unbind_consumers() will unbind the felix switch driver on shutdown.
So the same treatment must be applied to all DSA switch drivers, which is: either use devres for both the mdiobus allocation and registration, or don't use devres at all.
The felix driver has the code structure in place for orderly mdiobus removal, so just replace devm_mdiobus_alloc_size() with the non-devres variant, and add manual free where necessary, to ensure that we don't let devres free a still-registered bus.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 10/03/2025
The vulnerability described in CVE-2022-48813 represents a critical issue within the Linux kernel's Distributed Switch Architecture (DSA) subsystem, specifically affecting the Felix VSC9959 switch driver. This flaw manifests as a potential system panic during device shutdown sequences, stemming from improper management of MDIO bus resources through the device resource management framework. The vulnerability occurs when the kernel attempts to free an MDIO bus that was allocated using devres mechanisms but has not been properly unregistered beforehand, leading to a kernel panic scenario that can compromise system stability and availability.
The technical root cause of this vulnerability lies in the inconsistent application of device resource management patterns within the DSA switch driver implementation. The issue specifically affects how the felix driver handles MDIO bus allocation and deallocation, where the driver uses devm_mdiobus_alloc_size() for allocation but fails to properly manage the lifecycle of the MDIO bus during device shutdown. This inconsistency creates a scenario where devres_release_all() attempts to free an MDIO bus that remains registered, causing a kernel panic when mdiobus_free() is called from devm_mdiobus_free(). The problem is particularly severe because it occurs during the device shutdown process, when the kernel's device driver framework is already in the process of tearing down device links and releasing resources, creating a race condition between device resource cleanup and driver removal operations.
The operational impact of this vulnerability extends beyond simple system crashes, as it affects the reliability of network infrastructure components that rely on DSA switches within Linux-based systems. When the DSA master device is located on a bus that invokes the ->remove callback from ->shutdown, such as the dpaa2-eth driver operating on the fsl-mc bus, the device link unbinding process triggers the problematic code path. This creates a cascading effect where device_links_unbind_consumers() unbinds the felix switch driver while the system is shutting down, leaving the MDIO bus in an inconsistent state. The vulnerability affects systems using the VSC9959 switch, which is implemented as a PCI device, but the underlying issue applies broadly to all DSA switch drivers that employ similar resource management patterns. This represents a fundamental flaw in the kernel's device management framework where the interaction between device resource management and driver lifecycle events creates opportunities for system instability.
Security implications of this vulnerability align with CWE-415, which addresses double free errors and improper resource management in kernel code, and can be mapped to ATT&CK technique T1490 for system network denial of service through kernel-level resource exhaustion. The vulnerability demonstrates a classic case of improper resource management where device resources are allocated using automatic cleanup mechanisms but are not properly unregistered before the cleanup process begins. This creates a condition where the kernel's automatic resource management system attempts to clean up resources that are still in use or in an inconsistent state, leading to system crashes. The fix implemented addresses this by ensuring consistent resource management patterns across all DSA switch drivers, either by using devres for both allocation and registration or by avoiding devres entirely for MDIO bus management. This approach prevents the scenario where a device driver's cleanup process conflicts with the kernel's automatic device resource management system, thereby maintaining system stability during shutdown operations and preventing potential denial of service conditions that could affect network connectivity and system availability.
The resolution strategy for this vulnerability requires careful attention to resource management consistency across all DSA switch drivers within the kernel. The recommended fix involves replacing devm_mdiobus_alloc_size() with the non-devres variant and implementing manual resource cleanup where necessary to ensure proper MDIO bus lifecycle management. This approach prevents the kernel's device resource management system from attempting to free a still-registered MDIO bus during the shutdown sequence, thereby eliminating the kernel panic condition. The solution ensures that all DSA switch drivers follow consistent resource management patterns, preventing similar issues from arising in other switch driver implementations. This remediation addresses the fundamental architectural issue in the DSA subsystem where the interaction between device resource management and driver lifecycle events creates opportunities for system instability. The fix also reinforces the principle that device resource management must be carefully coordinated with driver lifecycle events, particularly during shutdown sequences where the kernel's device management framework is actively managing device links and resource cleanup operations.