Linux Kernel Device Link Management Vulnerability Leading to Potential Crash

A vulnerability in the Linux kernel's handling of device links for network ports can lead to a crash. When a network port is disabled, the 'phy_detach()' function removes the device link but does not clear the 'phydev->devlink' pointer. This oversight can cause 'phydev->devlink' to retain a stale value. If the port is re-enabled and 'phy_attach_direct()' fails before adding the device link back, the old value is used, leading to a NULL pointer access and a crash. The issue arises from improper management of the device link during the attach and detach process of the physical device.

Impact

The vulnerability can cause a system crash by accessing a NULL pointer, disrupting normal operations and potentially leading to a denial of service.

Reproduction

To reproduce this vulnerability, disable a network port, which triggers the 'phy_detach()' function to remove the device link without clearing the 'phydev->devlink' pointer. Then, re-enable the network port. If 'phy_attach_direct()' fails before the device link is added back, the old 'phydev->devlink' value is used, causing 'device_link_del()' to access a NULL pointer and crash the system.

Remediation

The 'phydev->devlink' pointer should be cleared when the device link is removed to prevent it from retaining an old value that can lead to a crash.