CVE-2025-68338

Vulnerability

Analysis

In the Linux kernel's Microchip DSA (Distributed Switch Architecture) driver, a bug exists in the error handling path during setup. When ksz_ptp_irq_setup() fails during initialization, the cleanup function ksz_irq_free() may be invoked on ksz_irq structures that have not been fully initialized. This can result in the freeing of uninitialized IRQ numbers or interrupt domains, leading to undefined behavior or undefined behavior [1].

Exploitation

The vulnerability is triggered during driver setup when a failure occurs after some ports have been initialized but before all ksz_irq structures are fully set up. The error path previously iterated over all ports, including those whose ksz_irq structures were not yet initialized. An attacker would need to induce a failure in the setup sequence, such as by causing ptp_irq_setup() to fail, which could be achieved through hardware manipulation or resource exhaustion [1].

Impact

If exploited, the bug could cause the kernel to free uninitialized memory, potentially leading to system instability, crashes, or information disclosure. The impact is limited to systems using Microchip DSA switches with the affected driver version [1].

Mitigation

The fix, introduced in commit 32abbcf4379a, replaces the original iteration macro with dsa_switch_for_each_user_port_continue_reverse(), which only iterates over ports that have been fully initialized. This ensures that ksz_irq_free() is only called on valid, initialized structures. Users should update to a kernel version containing this patch [1].