Acknowledged
Created: Aug 17, 2025
Updated: Aug 19, 2025
Found In Version: 10.24.33.1
Severity: Standard
Applicable for: Wind River Linux LTS 24
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]net: phy: Don't register LEDs for genphy[EOL][EOL]If a PHY has no driver, the genphy driver is probed/removed directly in[EOL]phy_attach/detach. If the PHY's ofnode has an "leds" subnode, then the[EOL]LEDs will be (un)registered when probing/removing the genphy driver.[EOL]This could occur if the leds are for a non-generic driver that isn't[EOL]loaded for whatever reason. Synchronously removing the PHY device in[EOL]phy_detach leads to the following deadlock:[EOL][EOL]rtnl_lock()[EOL]ndo_close()[EOL] ...[EOL] phy_detach()[EOL] phy_remove()[EOL] phy_leds_unregister()[EOL] led_classdev_unregister()[EOL] led_trigger_set()[EOL] netdev_trigger_deactivate()[EOL] unregister_netdevice_notifier()[EOL] rtnl_lock()[EOL][EOL]There is a corresponding deadlock on the open/register side of things[EOL](and that one is reported by lockdep), but it requires a race while this[EOL]one is deterministic.[EOL][EOL]Generic PHYs do not support LEDs anyway, so don't bother registering[EOL]them.
CREATE(Triage):(User=pbi-cn) [CVE-2025-38537 (https://nvd.nist.gov/vuln/detail/CVE-2025-38537)
