Linux Kernel Conduit Reference Management Vulnerability in DSA

A vulnerability exists in the Linux kernel's handling of conduit references within the Distributed Switch Architecture (DSA) subsystem. This issue arises because the Open Firmware (OF) path, which utilizes 'of_find_net_device_by_node()', fails to release an increased reference count on the conduit’s kobject. Consequently, DSA may retain a stale pointer to an unregistered conduit interface, leading to potential inconsistencies. The vulnerability affects the Linux kernel stable tree.

Impact

The vulnerability can cause a use-after-free condition by allowing DSA to hold a reference to a conduit that has been unregistered, potentially leading to accessing freed memory.

Reproduction

The vulnerability can be reproduced by unbinding the conduit driver for a net device, which will trigger the release of the kobject reference. With the 'CONFIG_DEBUG_KOBJECT_RELEASE' option enabled, this action will result in a 'kobject_release' message being logged, indicating that the reference was not properly managed. This can be observed by applying the patch, performing the unbind operation, and checking the log for the release message, which confirms that the reference handling issue has been addressed.

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version where this patch is applied.