CVE-2022-48818: net: dsa: mv88e6xxx: don't use devres for mdiobus
In the Linux kernel, the following vulnerability has been resolved:
net: dsa: mv88e6xxx: don't use devres for mdiobus
As explained in commits:
74b6d7d13307 ("net: dsa: realtek: register the MDIO bus under devres")
5135e96a3dd2 ("net: dsa: don't allocate the slave_mii_bus using devres")
mdiobus_free() will panic when called from devm_mdiobus_free() <-
devres_release_all() <- __device_release_driver(), and that mdiobus was
not previously unregistered.
The mv88e6xxx is an MDIO device, so the initial set of constraints that
I thought would cause this (I2C or SPI buses which call ->remove on
->shutdown) do not apply. But there is one more which applies here.
If the DSA master itself is on a bus that calls ->remove from ->shutdown
(like dpaa2-eth, which is on the fsl-mc bus), there is a device link
between the switch and the DSA master, and device_links_unbind_consumers()
will unbind the Marvell switch driver on shutdown.
systemd-shutdown[1]: Powering off.
mv88e6085 0x0000000008b96000:00 sw_gl0: Link is Down
fsl-mc dpbp.9: Removing from iommu group 7
fsl-mc dpbp.8: Removing from iommu group 7
------------[ cut here ]------------
kernel BUG at drivers/net/phy/mdio_bus.c:677!
Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 1 Comm: systemd-shutdow Not tainted 5.16.5-00040-gdc05f73788e5 #15
pc : mdiobus_free+0x44/0x50
lr : devm_mdiobus_free+0x10/0x20
Call trace:
mdiobus_free+0x44/0x50
devm_mdiobus_free+0x10/0x20
devres_release_all+0xa0/0x100
__device_release_driver+0x190/0x220
device_release_driver_internal+0xac/0xb0
device_links_unbind_consumers+0xd4/0x100
__device_release_driver+0x4c/0x220
device_release_driver_internal+0xac/0xb0
device_links_unbind_consumers+0xd4/0x100
__device_release_driver+0x94/0x220
device_release_driver+0x28/0x40
bus_remove_device+0x118/0x124
device_del+0x174/0x420
fsl_mc_device_remove+0x24/0x40
__fsl_mc_device_remove+0xc/0x20
device_for_each_child+0x58/0xa0
dprc_remove+0x90/0xb0
fsl_mc_driver_remove+0x20/0x5c
__device_release_driver+0x21c/0x220
device_release_driver+0x28/0x40
bus_remove_device+0x118/0x124
device_del+0x174/0x420
fsl_mc_bus_remove+0x80/0x100
fsl_mc_bus_shutdown+0xc/0x1c
platform_shutdown+0x20/0x30
device_shutdown+0x154/0x330
kernel_power_off+0x34/0x6c
__do_sys_reboot+0x15c/0x250
__arm64_sys_reboot+0x20/0x30
invoke_syscall.constprop.0+0x4c/0xe0
do_el0_svc+0x4c/0x150
el0_svc+0x24/0xb0
el0t_64_sync_handler+0xa8/0xb0
el0t_64_sync+0x178/0x17c
So the same treatment must be applied to all DSA switch drivers, which
is: either use devres for both the mdiobus allocation and registration,
or don't use devres at all.
The Marvell driver already has a good structure for mdiobus removal, so
just plug in mdiobus_free and get rid of devres.
Security readout for executives and security teams
Plain-English summary
CVE-2022-48818 is a Linux kernel bug that can crash certain systems during shutdown or driver unbinding. It affects configurations using the Marvell mv88e6xxx DSA switch driver and specific bus interactions. The main business impact is availability risk on specialized Linux network or embedded systems, not confirmed remote compromise.
Executive priority
Treat as a targeted availability issue. Patch during normal maintenance unless the organization depends on affected Linux network platforms where shutdown reliability is operationally critical. There is no source-backed evidence of remote exploitation or broad enterprise exposure.
Technical view
The mv88e6xxx DSA driver used devres-managed MDIO bus allocation in a way that could call mdiobus_free before unregistering the bus. During shutdown-driven remove paths, such as via device links from a DSA master on fsl-mc/dpaa2-eth, this can trigger a kernel BUG/Oops. Stable kernel commits replace the devres pattern for this driver.
Likely exposure
Exposure is likely limited to Linux systems using Marvell mv88e6xxx DSA switch hardware and affected kernel versions. The source specifically describes a shutdown path involving a DSA master on a bus that calls remove during shutdown, such as fsl-mc with dpaa2-eth.
Exploitation context
No active exploitation is indicated by KEV or the provided sources. The described trigger is system shutdown or device-driver unbinding, causing a kernel panic. This appears to be an availability and reliability issue in specific hardware and driver configurations.
Researcher notes
The CVE text documents a concrete panic path and links four stable commits. Severity, CVSS, and CWE data are not provided in the bundle. Avoid generalizing beyond mv88e6xxx DSA and the shutdown/remove conditions described by the kernel maintainers.
Mitigation direction
Update to a Linux kernel containing the referenced stable fixes.
Prioritize affected network appliances, embedded systems, and ARM platforms using mv88e6xxx DSA hardware.
Check vendor kernel advisories if using a distribution or appliance kernel.
Plan maintenance windows because validation may require shutdown or reboot testing.
Validation and detection
Inventory kernels and identify systems using the mv88e6xxx DSA driver.
Check for Marvell DSA switch hardware in platform documentation or kernel logs.
Review shutdown logs for mdiobus_free, devm_mdiobus_free, or mv88e6xxx kernel Oops traces.
Confirm the running kernel includes one of the referenced stable commits or downstream backport.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2022-48818 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.