CVE-2022-48817 - Fixing a Panic in Linux Kernel DSA AR9331 Driver by Proper MDIO Bus Management

CVE-2022-48817 is a vulnerability that affected the Linux kernel's Distributed Switch Architecture (DSA) driver for certain Atheros AR9331-based Ethernet switches. This bug could cause a system panic (crash) during kernel driver shutdown or device removal due to improper management of the Management Data Input/Output (MDIO) bus resources. In this post, we’ll break down what went wrong, how it could be exploited, and how it was fixed in clear, simple terms.

What Happened?

The problem was traced to how the AR9331 DSA driver handled the MDIO bus registration and freeing. In the Linux kernel, drivers often allocate system resources (like the MDIO bus) and register them for use, then free them when no longer needed. If freeing happens before a clean unregister, the system can panic—crash hard—with no graceful error.

Specifically, when the bus is still registered and mdiobus_free() is called (via the devres-managed variant), a panic results:

mdiobus_free() will panic when called from devm_mdiobus_free() <-
devres_release_all() <- __device_release_driver(), and that mdiobus was
not previously unregistered.

Why Was This Bad?

- System Reliability: A kernel panic will halt the whole system, which is especially bad on any device (router, switch, embedded system) running AR9331 hardware.
- Security: If someone could trigger device removal (like unplugging hardware or triggering driver shutdown from user space), they could cause a denial-of-service by crashing the system.

The Root Cause

The AR9331 driver combined mixed resource management approaches: it sometimes used standard allocation and sometimes device resource management (devres). When a driver mixes both or only uses devres for free, the bus can be freed while still registered, causing a panic when the system tries to clean up.

To make things worse, AR9331 platforms connected via special bus types (like the NXP dpaa2-eth on the fsl-mc bus) trigger driver shutdowns in a way that reveals the bug more easily.

The Solution

The solution was simple: be consistent. Either manage all MDIO bus resources using devres, or none. For AR9331, the maintainers decided to switch out regular of_mdiobus_register() for its devres variant, so *both* allocation and registration happen under automatic device resource management. Now, the kernel won't accidentally free a registered bus—no more panic.

Before (BAD)

mdiobus = devm_mdiobus_alloc(dev);
// Regular registration outside devres
err = of_mdiobus_register(mdiobus, np);
if (err)
    return err;

After (GOOD)

mdiobus = devm_mdiobus_alloc(dev);
// Now using devres variant for automatic management
err = devm_of_mdiobus_register(dev, mdiobus, np);
if (err)
    return err;

Now, cleanup is correctly handled during driver removal or device shutdown, preventing the double-free or double-unregister bug.

How Could This Be Exploited?

While there’s no direct proof-of-concept exploit for this vulnerability, here's a rough demonstration of a potential attack workflow:

PoC Outline (Denial of Service)

1. Trigger driver shutdown: From userspace (with privileges), you could forcibly remove the ar9331 device, trigger a bus rescan, or induce a hardware reconnection.
2. Observe system panic: If the kernel was running the unfixed code, this would crash the system as soon as AR9331’s MDIO bus resource cleanup was run in the wrong order.

Example shell

# WARNING: will harm your system if not patched! For illustrative purposes only.
echo 1 > /sys/bus/platform/devices/DEVICE/remove    # DEVICE = ar9331 instance
# System may panic if vulnerable

- Check for the Patch: The fix is in mainline Linux after the following commits

- 74b6d7d13307 (related Realtek fix)
- 5135e96a3dd2 (ar9331-specific fix)

References

- CVE-2022-48817 at cve.org
- Kernel commit 5135e96a3dd2 "net: dsa: don't allocate the slave_mii_bus using devres"
- Kernel commit 74b6d7d13307 "net: dsa: realtek: register the MDIO bus under devres"
- Linux DSA documentation

Summary

CVE-2022-48817 is a kernel panicking bug in the AR9331 Ethernet switch driver. It happened because MDIO bus resources weren't managed consistently using device resource helpers. A quick fix using the right devres functions prevents system crashes when a device or driver is removed. Make sure your system is up-to-date, especially if it uses AR9331 or similar DSA switches!

Timeline

Published on: 07/16/2024 12:15:05 UTC
Last modified on: 05/04/2025 08:23:57 UTC