CVE-2025-38537

Description

In the Linux kernel, the following vulnerability has been resolved:net: phy: Dont register LEDs for genphyIf a PHY has no driver, the genphy driver is probed/removed directly inphy_attach/detach. If the PHYs ofnode has an leds subnode, then theLEDs will be (un)registered when probing/removing the genphy driver.This could occur if the leds are for a non-generic driver that isntloaded for whatever reason. Synchronously removing the PHY device inphy_detach leads to the following deadlock:rtnl_lock()ndo_close() ... phy_detach() phy_remove() phy_leds_unregister() led_classdev_unregister() led_trigger_set() netdev_trigger_deactivate() unregister_netdevice_notifier() rtnl_lock()There is a corresponding deadlock on the open/register side of things(and that one is reported by lockdep), but it requires a race while thisone is deterministic.Generic PHYs do not support LEDs anyway, so dont bother registeringthem.

Risk Information

Base Score

5.5

MODERATE

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS Score

Exploitation Probability

0.018

Associated Vulnerability

No records found

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234