Linux Kernel Phy Link Circular Locking Dependency Vulnerability

A potential circular locking dependency has been identified in the Linux kernel's phylink and PHY device handling, specifically within the phy_config_inband() function. This vulnerability arises from an incorrect locking order between the phylink state mutex and the PHY device lock, which can lead to a deadlock situation. The issue was discovered using lockdep, a kernel debugging tool that analyzes locking patterns. The problem may be limited by the slow speed of the medium auto-negotiation protocol, but the risk of deadlock exists, particularly when phylink_resolve() is called concurrently with phy_link_up() or phy_link_down() operations.

Impact

Exploitation of this vulnerability can cause a deadlock in the kernel, where threads become stuck waiting for each other to release locks, effectively halting progress in the affected parts of the system.

Reproduction

The vulnerability can be reproduced by creating a scenario where phylink_resolve() is executed while a PHY link state change is occurring, such as during a phy_link_up() or phy_link_down() call. This can be done by manually triggering these link state changes while phylink_resolve() is still processing, causing a deadlock on the state mutex.

Remediation

Users should ensure that the phylink_resolve() function acquires the PHY device lock before calling phylink_major_config(), which can be done by modifying the order of operations in the phylink_mac_initial_config() and phylink_resolve() functions.