CVE-2022-49847 in Linuxinfo

Zusammenfassung

von VulDB • 02.06.2026

Implied Question: Based on the provided kernel crash log (Call Trace and Register Dump), what is the likely cause of the crash, and how can it be diagnosed or fixed?

---

### Analysis of the Crash Log

#### 1. **Crash Location** The crash occurs in the function: ``` phy_stop+0x18/0xf8 ``` This is part of the Linux kernel's PHY (Physical Layer) subsystem, specifically when stopping a PHY device.

#### 2. **Call Trace Context** The call trace shows the following sequence: ``` phy_stop → phylink_stop → am65_cpsw_nuss_ndo_slave_stop [ti_am65_cpsw_nuss]
→ __dev_close_many → dev_close_many → unregister_netdevice_many → unregister_netdevice_queue → unregister_netdev → am65_cpsw_nuss_cleanup_ndev.isra.0 [ti_am65_cpsw_nuss]
→ am65_cpsw_nuss_remove [ti_am65_cpsw_nuss]
``` This indicates that the crash happens during the **driver removal** (`am65_cpsw_nuss_remove`) of the TI AM65x CPSW Nuss Ethernet driver. Specifically, when the network device is being unregistered, it tries to stop the PHY via `phylink_stop`, which eventually calls `phy_stop`.

#### 3. **Register Dump Analysis** - **x0**: `0004000800000200` – Likely a pointer or flag. - **x1**: `0000000000000000` – **NULL pointer**. - **x2**: `d0a07fcff8b8d500` – Likely a kernel address. - **x17**: `ffff800076c45000` – Likely the return address or PC. - **x16**: `ffff800008004000` – Likely the link register (LR).

The presence of **x1 = 0** (NULL) is highly suspicious. In ARM64, the first argument to a function is passed in `x0`, and the second in `x1`. If `phy_stop` expects a valid `struct phy_device *` or similar pointer in `x1` (or if it dereferences a member of a structure pointed to by `x1`), a NULL value would cause a **NULL pointer dereference**.

However, note that in ARM64 AAPCS64: - `x0` is the first argument. - `x1` is the second argument.

Looking at the kernel source for `phy_stop`: ```c void phy_stop(struct phy_device *phydev) {
if (!phydev) return; ... } ``` If `phydev` (in `x0`) is valid, but the code later dereferences a member that is NULL, or if `phylink_stop` passes a NULL pointer to `phy_stop`, that would cause the crash.

But wait: `x0` is `0004000800000200`, which is **not NULL**. So `phydev` is likely valid.

Let’s look at `phylink_stop`: ```c void phylink_stop(struct phylink *pl) {
... phy_stop(pl->phydev); ... } ``` If `pl->phydev` is NULL, then `phy_stop` would be called with a NULL `x0`. But `x0` is not NULL here.

Alternatively, the crash might be in a different part of `phy_stop`. Let’s check the offset: `+0x18`. This is very early in the function.

In some kernel versions, `phy_stop` might do: ```c if (phydev->state == PHY_UP) {
... } ``` If `phydev` is valid but `phydev->state` is accessed incorrectly, or if there’s a race condition where `phydev` is freed but still referenced, that could cause a crash.

#### 4. **Likely Cause** The most probable cause is a **NULL pointer dereference** or **use-after-free** in the `am65_cpsw_nuss` driver during device removal. Specifically: - The driver may be calling `phylink_stop` with an invalid or partially initialized `phylink` structure. - Or, the `phydev` pointer is stale/freed

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Zuständig

Linux

Reservieren

01.05.2025

Veröffentlichung

01.05.2025

Moderieren

akzeptiert

Eintrag

VDB-307016

CPE

bereit

EPSS

0.00140

KEV

nein

Aktivitäten

very low

Quellen

Do you need the next level of professionalism?

Upgrade your account now!