CVE-2022-48814 in Linux
Summary
by MITRE • 07/16/2024
In the Linux kernel, the following vulnerability has been resolved:
net: dsa: seville: register the mdiobus under devres
As explained in commits: 74b6d7d13307 ("net: dsa: realtek: register the MDIO bus under devres") 5135e96a3dd2 ("net: dsa: don't allocate the slave_mii_bus using devres")
mdiobus_free() will panic when called from devm_mdiobus_free() <- devres_release_all() <- __device_release_driver(), and that mdiobus was not previously unregistered.
The Seville VSC9959 switch is a platform device, so the initial set of constraints that I thought would cause this (I2C or SPI buses which call ->remove on ->shutdown) do not apply. But there is one more which applies here.
If the DSA master itself is on a bus that calls ->remove from ->shutdown (like dpaa2-eth, which is on the fsl-mc bus), there is a device link between the switch and the DSA master, and device_links_unbind_consumers() will unbind the seville switch driver on shutdown.
So the same treatment must be applied to all DSA switch drivers, which is: either use devres for both the mdiobus allocation and registration, or don't use devres at all.
The seville driver has a code structure that could accommodate both the mdiobus_unregister and mdiobus_free calls, but it has an external dependency upon mscc_miim_setup() from mdio-mscc-miim.c, which calls devm_mdiobus_alloc_size() on its behalf. So rather than restructuring that, and exporting yet one more symbol mscc_miim_teardown(), let's work with devres and replace of_mdiobus_register with the devres variant. When we use all-devres, we can ensure that devres doesn't free a still-registered bus (it either runs both callbacks, or none).
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 10/03/2025
The vulnerability described in CVE-2022-48814 represents a critical race condition and resource management issue within the Linux kernel's Distributed Switch Architecture (DSA) subsystem, specifically affecting the Seville VSC9959 switch driver. This flaw manifests when the MDIO bus registration and deregistration processes conflict with the device resource management framework, creating a scenario where kernel panic can occur during system shutdown or driver unloading operations. The vulnerability stems from inconsistent handling of MDIO bus lifecycle management between different DSA switch drivers, where some employ device resource management (devres) while others do not, leading to improper cleanup sequences that can result in memory corruption or system crashes.
The technical root cause of this vulnerability lies in the improper interaction between the device resource management system and MDIO bus cleanup operations. When the Seville VSC9959 switch driver attempts to free an MDIO bus that was allocated using devres mechanisms, but the bus was not properly unregistered first, the system invokes mdiobus_free() from within devm_mdiobus_free() which is called during device resource cleanup through devres_release_all() and __device_release_driver(). This creates a situation where the MDIO bus is freed while still registered, causing a kernel panic. The issue is particularly complex because the Seville switch is implemented as a platform device, making it vulnerable to device link unbinding during shutdown operations when the DSA master device resides on a bus that invokes ->remove during ->shutdown operations such as the dpaa2-eth driver on the fsl-mc bus.
The operational impact of this vulnerability extends beyond simple system crashes to potentially compromise system stability and availability in production environments. When triggered during system shutdown or driver unloading, the kernel panic can cause complete system hangs or forced reboots, disrupting network services and potentially leading to data loss or service interruptions. The vulnerability affects systems utilizing the Seville VSC9959 switch in DSA configurations, particularly those deployed in embedded networking systems, industrial automation, and telecommunications infrastructure where reliable network switching is critical. The flaw demonstrates a fundamental issue in kernel subsystem design where inconsistent resource management patterns across related drivers create exploitable conditions that can be triggered through normal system operations.
The resolution strategy for this vulnerability involves implementing consistent device resource management practices across all DSA switch drivers by ensuring that MDIO bus allocation and registration operations use the same devres mechanisms throughout the driver lifecycle. This approach aligns with the established best practices for kernel development and follows the pattern established by previous commits that addressed similar issues in the Realtek DSA drivers. The solution specifically recommends replacing of_mdiobus_register with the devres variant to ensure that all MDIO bus operations are properly managed through the device resource framework, thereby preventing the race condition where devres attempts to free a bus that is still registered. This mitigation strategy addresses the core issue by ensuring that device resource cleanup operations occur in proper sequence and that no bus is freed while still in use, effectively preventing the kernel panic that occurs when the cleanup sequence is disrupted. The fix also demonstrates adherence to the CWE-691 principle of ensuring proper resource management and the ATT&CK technique of maintaining system stability through proper resource handling during shutdown operations.