CVE-2022-49847 in Linuxthông tin

Tóm tắt

Bởi VulDB • 29/05/2026

Trong the kernel log snippet you provided, we see a **kernel panic or Oops** occurring during the removal of an AM65 CPSW Nuss network driver (`ti_am65_cpsw_nuss`). The crash happens in the call chain:

``` phy_stop → phylink_stop → am65_cpsw_nuss_ndo_slave_stop → ... → am65_cpsw_nuss_remove ```

This indicates that the crash occurs while stopping the PHY/phylink subsystem during device removal.

---

### ???? Key Observations

#### 1. **Call Trace** ``` phy_stop+0x18/0xf8 phylink_stop+0x38/0xf8 am65_cpsw_nuss_ndo_slave_stop+0x28/0x1e0 [ti_am65_cpsw_nuss]
__dev_close_many+0xa4/0x140 dev_close_many+0x84/0x128 unregister_netdevice_many+0x130/0x6d0 unregister_netdevice_queue+0x94/0xd8 unregister_netdev+0x24/0x38 am65_cpsw_nuss_cleanup_ndev.isra.0+0x48/0x70 [ti_am65_cpsw_nuss]
am65_cpsw_nuss_remove+0x58/0xf8 [ti_am65_cpsw_nuss]
```

- The crash happens in `phy_stop()`, which is called from `phylink_stop()`, which is called from the driver’s `ndo_stop` callback (`am65_cpsw_nuss_ndo_slave_stop`). - This is during **device removal** (`am65_cpsw_nuss_remove`), so the network device is being unregistered.

#### 2. **Register State** - `x0 = 0x0004000800000200` — likely a pointer or flag. - `x1 = 0x0000000000000000` — null pointer? - `x17 = 0xffff800076c45000` — likely the faulting instruction address. - `x16 = 0xffff800008004000` — possibly a function pointer or base address.

The fact that `x1` is zero and the crash is in `phy_stop` suggests a **null pointer dereference** or **use-after-free**.

---

### ???? Likely Causes

#### ✅ 1. **Use-After-Free or Null Pointer in PHY/Phylink** - During `am65_cpsw_nuss_remove`, the driver may be calling `phylink_stop()` on a PHY or phylink structure that has already been freed or not properly initialized. - If the PHY was detached or freed earlier, but `phylink_stop()` still tries to access it, this can cause a crash.

#### ✅ 2. **Race Condition** - If the PHY or network device is being stopped concurrently (e.g., by another thread or interrupt), there might be a race condition leading to inconsistent state.

#### ✅ 3. **Improper Cleanup Order** - The driver might not be cleaning up the PHY/phylink in the correct order before unregistering the netdev. - For example, if `phylink_stop()` is called after the PHY structure is freed, it will crash.

#### ✅ 4. **Missing Error Handling** - If `phylink_create()` or similar failed earlier, but the driver didn’t check for errors, it might proceed with a null or invalid phylink pointer.

---

### ????️ How to Debug & Fix

#### 1. **Check for Null Pointers** - Add debug prints or use `kptr_restrict` to resolve kernel pointers. - In `am65_cpsw_nuss_ndo_slave_stop()`, check if the `phylink` or `phy` pointer is valid before calling `phylink_stop()`.

Example: ```c if (!priv->phylink) {
dev_err(dev, "phylink is NULL, skipping stop\n"); return; } phylink_stop(priv->phylink); ```

#### 2. **Ensure Proper Cleanup Order** - Make sure that in `am65_cpsw_nuss_remove()`, you: 1. Stop the PHY/phylink. 2. Unregister the netdev. 3. Free resources.

Correct order:

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

chịu trách nhiệm

Linux

Đặt trước

01/05/2025

Tiết lộ

01/05/2025

Kiểm duyệt

được chấp nhận

EPSS

0.00140

KEV

không

Các hoạt động

rất thấp

Nguồn

Interested in the pricing of exploits?

See the underground prices here!