CVE-2025-21921

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: ethtool: netlink: Allow NULL nlattrs when getting a phy_device<br /> <br /> ethnl_req_get_phydev() is used to lookup a phy_device, in the case an<br /> ethtool netlink command targets a specific phydev within a netdev&amp;#39;s<br /> topology.<br /> <br /> It takes as a parameter a const struct nlattr *header that&amp;#39;s used for<br /> error handling :<br /> <br /> if (!phydev) {<br /> NL_SET_ERR_MSG_ATTR(extack, header,<br /> "no phy matching phyindex");<br /> return ERR_PTR(-ENODEV);<br /> }<br /> <br /> In the notify path after a -&gt;set operation however, there&amp;#39;s no request<br /> attributes available.<br /> <br /> The typical callsite for the above function looks like:<br /> <br /> phydev = ethnl_req_get_phydev(req_base, tb[ETHTOOL_A_XXX_HEADER],<br /> info-&gt;extack);<br /> <br /> So, when tb is NULL (such as in the ethnl notify path), we have a nice<br /> crash.<br /> <br /> It turns out that there&amp;#39;s only the PLCA command that is in that case, as<br /> the other phydev-specific commands don&amp;#39;t have a notification.<br /> <br /> This commit fixes the crash by passing the cmd index and the nlattr<br /> array separately, allowing NULL-checking it directly inside the helper.