CVE-2025-38537

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: phy: Don&amp;#39;t register LEDs for genphy<br /> <br /> If a PHY has no driver, the genphy driver is probed/removed directly in<br /> phy_attach/detach. If the PHY&amp;#39;s ofnode has an "leds" subnode, then the<br /> LEDs will be (un)registered when probing/removing the genphy driver.<br /> This could occur if the leds are for a non-generic driver that isn&amp;#39;t<br /> loaded for whatever reason. Synchronously removing the PHY device in<br /> phy_detach leads to the following deadlock:<br /> <br /> rtnl_lock()<br /> ndo_close()<br /> ...<br /> phy_detach()<br /> phy_remove()<br /> phy_leds_unregister()<br /> led_classdev_unregister()<br /> led_trigger_set()<br /> netdev_trigger_deactivate()<br /> unregister_netdevice_notifier()<br /> rtnl_lock()<br /> <br /> There is a corresponding deadlock on the open/register side of things<br /> (and that one is reported by lockdep), but it requires a race while this<br /> one is deterministic.<br /> <br /> Generic PHYs do not support LEDs anyway, so don&amp;#39;t bother registering<br /> them.