CVE-2025-39905

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: phylink: add lock for serializing concurrent pl-&gt;phydev writes with resolver<br /> <br /> Currently phylink_resolve() protects itself against concurrent<br /> phylink_bringup_phy() or phylink_disconnect_phy() calls which modify<br /> pl-&gt;phydev by relying on pl-&gt;state_mutex.<br /> <br /> The problem is that in phylink_resolve(), pl-&gt;state_mutex is in a lock<br /> inversion state with pl-&gt;phydev-&gt;lock. So pl-&gt;phydev-&gt;lock needs to be<br /> acquired prior to pl-&gt;state_mutex. But that requires dereferencing<br /> pl-&gt;phydev in the first place, and without pl-&gt;state_mutex, that is<br /> racy.<br /> <br /> Hence the reason for the extra lock. Currently it is redundant, but it<br /> will serve a functional purpose once mutex_lock(&amp;phy-&gt;lock) will be<br /> moved outside of the mutex_lock(&amp;pl-&gt;state_mutex) section.<br /> <br /> Another alternative considered would have been to let phylink_resolve()<br /> acquire the rtnl_mutex, which is also held when phylink_bringup_phy()<br /> and phylink_disconnect_phy() are called. But since phylink_disconnect_phy()<br /> runs under rtnl_lock(), it would deadlock with phylink_resolve() when<br /> calling flush_work(&amp;pl-&gt;resolve). Additionally, it would have been<br /> undesirable because it would have unnecessarily blocked many other call<br /> paths as well in the entire kernel, so the smaller-scoped lock was<br /> preferred.