CVE-2022-48808

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: dsa: fix panic when DSA master device unbinds on shutdown<br /> <br /> Rafael reports that on a system with LX2160A and Marvell DSA switches,<br /> if a reboot occurs while the DSA master (dpaa2-eth) is up, the following<br /> panic can be seen:<br /> <br /> systemd-shutdown[1]: Rebooting.<br /> Unable to handle kernel paging request at virtual address 00a0000800000041<br /> [00a0000800000041] address between user and kernel address ranges<br /> Internal error: Oops: 96000004 [#1] PREEMPT SMP<br /> CPU: 6 PID: 1 Comm: systemd-shutdow Not tainted 5.16.5-00042-g8f5585009b24 #32<br /> pc : dsa_slave_netdevice_event+0x130/0x3e4<br /> lr : raw_notifier_call_chain+0x50/0x6c<br /> Call trace:<br /> dsa_slave_netdevice_event+0x130/0x3e4<br /> raw_notifier_call_chain+0x50/0x6c<br /> call_netdevice_notifiers_info+0x54/0xa0<br /> __dev_close_many+0x50/0x130<br /> dev_close_many+0x84/0x120<br /> unregister_netdevice_many+0x130/0x710<br /> unregister_netdevice_queue+0x8c/0xd0<br /> unregister_netdev+0x20/0x30<br /> dpaa2_eth_remove+0x68/0x190<br /> fsl_mc_driver_remove+0x20/0x5c<br /> __device_release_driver+0x21c/0x220<br /> device_release_driver_internal+0xac/0xb0<br /> device_links_unbind_consumers+0xd4/0x100<br /> __device_release_driver+0x94/0x220<br /> device_release_driver+0x28/0x40<br /> bus_remove_device+0x118/0x124<br /> device_del+0x174/0x420<br /> fsl_mc_device_remove+0x24/0x40<br /> __fsl_mc_device_remove+0xc/0x20<br /> device_for_each_child+0x58/0xa0<br /> dprc_remove+0x90/0xb0<br /> fsl_mc_driver_remove+0x20/0x5c<br /> __device_release_driver+0x21c/0x220<br /> device_release_driver+0x28/0x40<br /> bus_remove_device+0x118/0x124<br /> device_del+0x174/0x420<br /> fsl_mc_bus_remove+0x80/0x100<br /> fsl_mc_bus_shutdown+0xc/0x1c<br /> platform_shutdown+0x20/0x30<br /> device_shutdown+0x154/0x330<br /> __do_sys_reboot+0x1cc/0x250<br /> __arm64_sys_reboot+0x20/0x30<br /> invoke_syscall.constprop.0+0x4c/0xe0<br /> do_el0_svc+0x4c/0x150<br /> el0_svc+0x24/0xb0<br /> el0t_64_sync_handler+0xa8/0xb0<br /> el0t_64_sync+0x178/0x17c<br /> <br /> It can be seen from the stack trace that the problem is that the<br /> deregistration of the master causes a dev_close(), which gets notified<br /> as NETDEV_GOING_DOWN to dsa_slave_netdevice_event().<br /> But dsa_switch_shutdown() has already run, and this has unregistered the<br /> DSA slave interfaces, and yet, the NETDEV_GOING_DOWN handler attempts to<br /> call dev_close_many() on those slave interfaces, leading to the problem.<br /> <br /> The previous attempt to avoid the NETDEV_GOING_DOWN on the master after<br /> dsa_switch_shutdown() was called seems improper. Unregistering the slave<br /> interfaces is unnecessary and unhelpful. Instead, after the slaves have<br /> stopped being uppers of the DSA master, we can now reset to NULL the<br /> master-&gt;dsa_ptr pointer, which will make DSA start ignoring all future<br /> notifier events on the master.