Description
In the Linux kernel, the following vulnerability has been resolved: net: phy: clear phydev->devlink when the link is deleted There is a potential crash issue when disabling and re-enabling the network port. When disabling the network port, phy_detach() calls device_link_del() to remove the device link, but it does not clear phydev->devlink, so phydev->devlink is not a NULL pointer. Then the network port is re-enabled, but if phy_attach_direct() fails before calling device_link_add(), the code jumps to the "error" label and calls phy_detach(). Since phydev->devlink retains the old value from the previous attach/detach cycle, device_link_del() uses the old value, which accesses a NULL pointer and causes a crash. The simplified crash log is as follows. [ 24.702421] Call trace: [ 24.704856] device_link_put_kref+0x20/0x120 [ 24.709124] device_link_del+0x30/0x48 [ 24.712864] phy_detach+0x24/0x168 [ 24.716261] phy_attach_direct+0x168/0x3a4 [ 24.720352] phylink_fwnode_phy_connect+0xc8/0x14c [ 24.725140] phylink_of_phy_connect+0x1c/0x34 Therefore, phydev->devlink needs to be cleared when the device link is deleted.
Product status
bc66fa87d4fda9053a8145e5718fc278c2b88253 (git) before 363fdf2777423ad346d781f09548cca14877f729
bc66fa87d4fda9053a8145e5718fc278c2b88253 (git) before ddc654e89ace723b78c34911c65243accbc9b75c
bc66fa87d4fda9053a8145e5718fc278c2b88253 (git) before 034bc4a2a72dea2cfcaf24c6bae03c38ad5a0b87
bc66fa87d4fda9053a8145e5718fc278c2b88253 (git) before 0795b05a59b1371b18ffbf09d385296b12e9f5d5
6.2
Any version before 6.2
6.6.94 (semver)
6.12.34 (semver)
6.15.3 (semver)
6.16 (original_commit_for_fix)
References
git.kernel.org/...c/363fdf2777423ad346d781f09548cca14877f729
git.kernel.org/...c/ddc654e89ace723b78c34911c65243accbc9b75c
git.kernel.org/...c/034bc4a2a72dea2cfcaf24c6bae03c38ad5a0b87
git.kernel.org/...c/0795b05a59b1371b18ffbf09d385296b12e9f5d5