CVE-2022-48808

In the Linux kernel, the following vulnerability has been resolved: net: dsa: fix panic when DSA master device unbinds on shutdown Rafael reports that on a system with LX2160A and Marvell DSA switches, if a reboot occurs while the DSA master (dpaa2-eth) is up, the following panic can be seen: systemd-shutdown[1]: Rebooting. Unable to handle kernel paging request at virtual address 00a0000800000041 [00a0000800000041] address between user and kernel address ranges Internal error: Oops: 96000004 [#1] PREEMPT SMP CPU: 6 PID: 1 Comm: systemd-shutdow Not tainted 5.16.5-00042-g8f5585009b24 #32 pc : dsa_slave_netdevice_event+0x130/0x3e4 lr : raw_notifier_call_chain+0x50/0x6c Call trace: dsa_slave_netdevice_event+0x130/0x3e4 raw_notifier_call_chain+0x50/0x6c call_netdevice_notifiers_info+0x54/0xa0 __dev_close_many+0x50/0x130 dev_close_many+0x84/0x120 unregister_netdevice_many+0x130/0x710 unregister_netdevice_queue+0x8c/0xd0 unregister_netdev+0x20/0x30 dpaa2_eth_remove+0x68/0x190 fsl_mc_driver_remove+0x20/0x5c __device_release_driver+0x21c/0x220 device_release_driver_internal+0xac/0xb0 device_links_unbind_consumers+0xd4/0x100 __device_release_driver+0x94/0x220 device_release_driver+0x28/0x40 bus_remove_device+0x118/0x124 device_del+0x174/0x420 fsl_mc_device_remove+0x24/0x40 __fsl_mc_device_remove+0xc/0x20 device_for_each_child+0x58/0xa0 dprc_remove+0x90/0xb0 fsl_mc_driver_remove+0x20/0x5c __device_release_driver+0x21c/0x220 device_release_driver+0x28/0x40 bus_remove_device+0x118/0x124 device_del+0x174/0x420 fsl_mc_bus_remove+0x80/0x100 fsl_mc_bus_shutdown+0xc/0x1c platform_shutdown+0x20/0x30 device_shutdown+0x154/0x330 __do_sys_reboot+0x1cc/0x250 __arm64_sys_reboot+0x20/0x30 invoke_syscall.constprop.0+0x4c/0xe0 do_el0_svc+0x4c/0x150 el0_svc+0x24/0xb0 el0t_64_sync_handler+0xa8/0xb0 el0t_64_sync+0x178/0x17c It can be seen from the stack trace that the problem is that the deregistration of the master causes a dev_close(), which gets notified as NETDEV_GOING_DOWN to dsa_slave_netdevice_event(). But dsa_switch_shutdown() has already run, and this has unregistered the DSA slave interfaces, and yet, the NETDEV_GOING_DOWN handler attempts to call dev_close_many() on those slave interfaces, leading to the problem. The previous attempt to avoid the NETDEV_GOING_DOWN on the master after dsa_switch_shutdown() was called seems improper. Unregistering the slave interfaces is unnecessary and unhelpful. Instead, after the slaves have stopped being uppers of the DSA master, we can now reset to NULL the master->dsa_ptr pointer, which will make DSA start ignoring all future notifier events on the master.
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

History

21 Nov 2024, 07:34

Type Values Removed Values Added
References () https://git.kernel.org/stable/c/89b60402d43cdab4387dbbf24afebda5cf092ae7 - Patch () https://git.kernel.org/stable/c/89b60402d43cdab4387dbbf24afebda5cf092ae7 - Patch
References () https://git.kernel.org/stable/c/ee534378f00561207656663d93907583958339ae - Patch () https://git.kernel.org/stable/c/ee534378f00561207656663d93907583958339ae - Patch
References () https://git.kernel.org/stable/c/ff45899e732e57088985e3a497b1d9100571c0f5 - Patch () https://git.kernel.org/stable/c/ff45899e732e57088985e3a497b1d9100571c0f5 - Patch

07 Aug 2024, 19:19

Type Values Removed Values Added
References () https://git.kernel.org/stable/c/89b60402d43cdab4387dbbf24afebda5cf092ae7 - () https://git.kernel.org/stable/c/89b60402d43cdab4387dbbf24afebda5cf092ae7 - Patch
References () https://git.kernel.org/stable/c/ee534378f00561207656663d93907583958339ae - () https://git.kernel.org/stable/c/ee534378f00561207656663d93907583958339ae - Patch
References () https://git.kernel.org/stable/c/ff45899e732e57088985e3a497b1d9100571c0f5 - () https://git.kernel.org/stable/c/ff45899e732e57088985e3a497b1d9100571c0f5 - Patch
CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
First Time Linux
Linux linux Kernel
Summary
  • (es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: dsa: corrige el pánico cuando el dispositivo maestro DSA se desvincula al apagar Rafael informa que en un sistema con conmutadores LX2160A y Marvell DSA, si se produce un reinicio mientras el DSA maestro (dpaa2-eth ) está activo, se puede ver el siguiente pánico: systemd-shutdown[1]: Rebooting. No se puede manejar la solicitud de paginación del kernel en la dirección virtual 00a0000800000041 [00a0000800000041] dirección entre los rangos de direcciones del usuario y del kernel Error interno: Ups: 96000004 [#1] CPU SMP PREEMPT: 6 PID: 1 Comm: systemd-shutdow No está contaminado 5.16.5-00042 -g8f5585009b24 #32 pc: dsa_slave_netdevice_event+0x130/0x3e4 lr: raw_notifier_call_chain+0x50/0x6c Rastreo de llamadas: dsa_slave_netdevice_event+0x130/0x3e4 raw_notifier_call_chain+0x50/0x6c call_netdevice_notifiers_info+ 0x54/0xa0 __dev_close_many+0x50/0x130 dev_close_many+0x84/0x120 unregister_netdevice_many+0x130/ 0x710 unregister_netdevice_queue+0x8c/0xd0 unregister_netdev+0x20/0x30 dpaa2_eth_remove+0x68/0x190 fsl_mc_driver_remove+0x20/0x5c __device_release_driver+0x21c/0x220 dispositivo_release_driver_internal+0xac/0x b0 device_links_unbind_consumers+0xd4/0x100 __device_release_driver+0x94/0x220 dispositivo_release_driver+0x28/0x40 bus_remove_device+0x118/ 0x124 dispositivo_del+0x174/0x420 fsl_mc_device_remove+0x24/0x40 __fsl_mc_device_remove+0xc/0x20 dispositivo_para_cada_niño+0x58/0xa0 dprc_remove+0x90/0xb0 fsl_mc_driver_remove+0x20/0x5c __ dispositivo_liberación_controlador+0x21c/0x220 dispositivo_liberación_controlador+0x28/0x40 bus_remove_device+0x118/0x124 dispositivo_del+0x174/ 0x420 fsl_mc_bus_remove+0x80/0x100 fsl_mc_bus_shutdown+0xc/0x1c platform_shutdown+0x20/0x30 dispositivo_shutdown+0x154/0x330 __do_sys_reboot+0x1cc/0x250 __arm64_sys_reboot+0x20/0x30 invoke_syscall.constprop.0+0x4c/0xe0 do_el0_svc+0x4c/0x150 el0_svc+0x24/0xb0 el0t_64_sync_handler+0xa8/0xb0 el0t_64_sync+0x178/0x17c Se puede ver en el seguimiento de la pila que el problema es que la cancelación del registro del maestro provoca un dev_close(), que se notifica como NETDEV_GOING_DOWN a dsa_slave_netdevice_event(). Pero dsa_switch_shutdown() ya se ejecutó, y esto anuló el registro de las interfaces esclavas DSA y, aún así, el controlador NETDEV_GOING_DOWN intenta llamar a dev_close_many() en esas interfaces esclavas, lo que genera el problema. El intento anterior de evitar NETDEV_GOING_DOWN en el maestro después de llamar a dsa_switch_shutdown() parece inadecuado. Anular el registro de las interfaces esclavas es innecesario e inútil. En cambio, después de que los esclavos hayan dejado de ser superiores al maestro DSA, ahora podemos restablecer a NULL el puntero maestro->dsa_ptr, lo que hará que DSA comience a ignorar todos los eventos notificadores futuros en el maestro.
CWE NVD-CWE-noinfo
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 5.5

16 Jul 2024, 12:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-07-16 12:15

Updated : 2024-11-21 07:34


NVD link : CVE-2022-48808

Mitre link : CVE-2022-48808

CVE.ORG link : CVE-2022-48808


JSON object : View

Products Affected

linux

  • linux_kernel