cve/published/2022/CVE-2022-48808.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-48808: net: dsa: fix panic when DSA master device unbinds on shutdown

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 net: dsa: fix panic when DSA master device unbinds on shutdown

 Rafael reports that on a system with LX2160A and Marvell DSA switches,
 if a reboot occurs while the DSA master (dpaa2-eth) is up, the following
 panic can be seen:

 systemd-shutdown[1]: Rebooting.
 Unable to handle kernel paging request at virtual address 00a0000800000041
 [00a0000800000041] address between user and kernel address ranges
 Internal error: Oops: 96000004 [#1] PREEMPT SMP
 CPU: 6 PID: 1 Comm: systemd-shutdow Not tainted 5.16.5-00042-g8f5585009b24 #32
 pc : dsa_slave_netdevice_event+0x130/0x3e4
 lr : raw_notifier_call_chain+0x50/0x6c
 Call trace:
  dsa_slave_netdevice_event+0x130/0x3e4
  raw_notifier_call_chain+0x50/0x6c
  call_netdevice_notifiers_info+0x54/0xa0
  __dev_close_many+0x50/0x130
  dev_close_many+0x84/0x120
  unregister_netdevice_many+0x130/0x710
  unregister_netdevice_queue+0x8c/0xd0
  unregister_netdev+0x20/0x30
  dpaa2_eth_remove+0x68/0x190
  fsl_mc_driver_remove+0x20/0x5c
  __device_release_driver+0x21c/0x220
  device_release_driver_internal+0xac/0xb0
  device_links_unbind_consumers+0xd4/0x100
  __device_release_driver+0x94/0x220
  device_release_driver+0x28/0x40
  bus_remove_device+0x118/0x124
  device_del+0x174/0x420
  fsl_mc_device_remove+0x24/0x40
  __fsl_mc_device_remove+0xc/0x20
  device_for_each_child+0x58/0xa0
  dprc_remove+0x90/0xb0
  fsl_mc_driver_remove+0x20/0x5c
  __device_release_driver+0x21c/0x220
  device_release_driver+0x28/0x40
  bus_remove_device+0x118/0x124
  device_del+0x174/0x420
  fsl_mc_bus_remove+0x80/0x100
  fsl_mc_bus_shutdown+0xc/0x1c
  platform_shutdown+0x20/0x30
  device_shutdown+0x154/0x330
  __do_sys_reboot+0x1cc/0x250
  __arm64_sys_reboot+0x20/0x30
  invoke_syscall.constprop.0+0x4c/0xe0
  do_el0_svc+0x4c/0x150
  el0_svc+0x24/0xb0
  el0t_64_sync_handler+0xa8/0xb0
  el0t_64_sync+0x178/0x17c

 It can be seen from the stack trace that the problem is that the
 deregistration of the master causes a dev_close(), which gets notified
 as NETDEV_GOING_DOWN to dsa_slave_netdevice_event().
 But dsa_switch_shutdown() has already run, and this has unregistered the
 DSA slave interfaces, and yet, the NETDEV_GOING_DOWN handler attempts to
 call dev_close_many() on those slave interfaces, leading to the problem.

 The previous attempt to avoid the NETDEV_GOING_DOWN on the master after
 dsa_switch_shutdown() was called seems improper. Unregistering the slave
 interfaces is unnecessary and unhelpful. Instead, after the slaves have
 stopped being uppers of the DSA master, we can now reset to NULL the
 master->dsa_ptr pointer, which will make DSA start ignoring all future
 notifier events on the master.

 The Linux kernel CVE team has assigned CVE-2022-48808 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.15 with commit 0650bf52b31ff35dc6430fc2e37969c36baba724 and fixed in 5.15.155 with commit ff45899e732e57088985e3a497b1d9100571c0f5
 	Issue introduced in 5.15 with commit 0650bf52b31ff35dc6430fc2e37969c36baba724 and fixed in 5.16.10 with commit 89b60402d43cdab4387dbbf24afebda5cf092ae7
 	Issue introduced in 5.15 with commit 0650bf52b31ff35dc6430fc2e37969c36baba724 and fixed in 5.17 with commit ee534378f00561207656663d93907583958339ae

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-48808
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/dsa/dsa2.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/ff45899e732e57088985e3a497b1d9100571c0f5
 	https://git.kernel.org/stable/c/89b60402d43cdab4387dbbf24afebda5cf092ae7
 	https://git.kernel.org/stable/c/ee534378f00561207656663d93907583958339ae
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-48808: net: dsa: fix panic when DSA master device unbinds on shutdown

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	net: dsa: fix panic when DSA master device unbinds on shutdown

	Rafael reports that on a system with LX2160A and Marvell DSA switches,
	if a reboot occurs while the DSA master (dpaa2-eth) is up, the following
	panic can be seen:

	systemd-shutdown[1]: Rebooting.
	Unable to handle kernel paging request at virtual address 00a0000800000041
	[00a0000800000041] address between user and kernel address ranges
	Internal error: Oops: 96000004 [#1] PREEMPT SMP
	CPU: 6 PID: 1 Comm: systemd-shutdow Not tainted 5.16.5-00042-g8f5585009b24 #32
	pc : dsa_slave_netdevice_event+0x130/0x3e4
	lr : raw_notifier_call_chain+0x50/0x6c
	Call trace:
	dsa_slave_netdevice_event+0x130/0x3e4
	raw_notifier_call_chain+0x50/0x6c
	call_netdevice_notifiers_info+0x54/0xa0
	__dev_close_many+0x50/0x130
	dev_close_many+0x84/0x120
	unregister_netdevice_many+0x130/0x710
	unregister_netdevice_queue+0x8c/0xd0
	unregister_netdev+0x20/0x30
	dpaa2_eth_remove+0x68/0x190
	fsl_mc_driver_remove+0x20/0x5c
	__device_release_driver+0x21c/0x220
	device_release_driver_internal+0xac/0xb0
	device_links_unbind_consumers+0xd4/0x100
	__device_release_driver+0x94/0x220
	device_release_driver+0x28/0x40
	bus_remove_device+0x118/0x124
	device_del+0x174/0x420
	fsl_mc_device_remove+0x24/0x40
	__fsl_mc_device_remove+0xc/0x20
	device_for_each_child+0x58/0xa0
	dprc_remove+0x90/0xb0
	fsl_mc_driver_remove+0x20/0x5c
	__device_release_driver+0x21c/0x220
	device_release_driver+0x28/0x40
	bus_remove_device+0x118/0x124
	device_del+0x174/0x420
	fsl_mc_bus_remove+0x80/0x100
	fsl_mc_bus_shutdown+0xc/0x1c
	platform_shutdown+0x20/0x30
	device_shutdown+0x154/0x330
	__do_sys_reboot+0x1cc/0x250
	__arm64_sys_reboot+0x20/0x30
	invoke_syscall.constprop.0+0x4c/0xe0
	do_el0_svc+0x4c/0x150
	el0_svc+0x24/0xb0
	el0t_64_sync_handler+0xa8/0xb0
	el0t_64_sync+0x178/0x17c

	It can be seen from the stack trace that the problem is that the
	deregistration of the master causes a dev_close(), which gets notified
	as NETDEV_GOING_DOWN to dsa_slave_netdevice_event().
	But dsa_switch_shutdown() has already run, and this has unregistered the
	DSA slave interfaces, and yet, the NETDEV_GOING_DOWN handler attempts to
	call dev_close_many() on those slave interfaces, leading to the problem.

	The previous attempt to avoid the NETDEV_GOING_DOWN on the master after
	dsa_switch_shutdown() was called seems improper. Unregistering the slave
	interfaces is unnecessary and unhelpful. Instead, after the slaves have
	stopped being uppers of the DSA master, we can now reset to NULL the
	master->dsa_ptr pointer, which will make DSA start ignoring all future
	notifier events on the master.

	The Linux kernel CVE team has assigned CVE-2022-48808 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.15 with commit 0650bf52b31ff35dc6430fc2e37969c36baba724 and fixed in 5.15.155 with commit ff45899e732e57088985e3a497b1d9100571c0f5
	Issue introduced in 5.15 with commit 0650bf52b31ff35dc6430fc2e37969c36baba724 and fixed in 5.16.10 with commit 89b60402d43cdab4387dbbf24afebda5cf092ae7
	Issue introduced in 5.15 with commit 0650bf52b31ff35dc6430fc2e37969c36baba724 and fixed in 5.17 with commit ee534378f00561207656663d93907583958339ae

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-48808
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/dsa/dsa2.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/ff45899e732e57088985e3a497b1d9100571c0f5
	https://git.kernel.org/stable/c/89b60402d43cdab4387dbbf24afebda5cf092ae7
	https://git.kernel.org/stable/c/ee534378f00561207656663d93907583958339ae