CVE-2022-49847 in Linux
Tóm tắt
Bởi VulDB • 29/05/2026
Trong the kernel log snippet you provided, we see a **kernel panic or Oops** occurring during the removal of an AM65 CPSW Nuss network driver (`ti_am65_cpsw_nuss`). The crash happens in the call chain:
``` phy_stop → phylink_stop → am65_cpsw_nuss_ndo_slave_stop → ... → am65_cpsw_nuss_remove ```
This indicates that the crash occurs while stopping the PHY/phylink subsystem during device removal.
---
### ???? Key Observations
#### 1. **Call Trace** ``` phy_stop+0x18/0xf8 phylink_stop+0x38/0xf8 am65_cpsw_nuss_ndo_slave_stop+0x28/0x1e0 [ti_am65_cpsw_nuss]
__dev_close_many+0xa4/0x140 dev_close_many+0x84/0x128 unregister_netdevice_many+0x130/0x6d0 unregister_netdevice_queue+0x94/0xd8 unregister_netdev+0x24/0x38 am65_cpsw_nuss_cleanup_ndev.isra.0+0x48/0x70 [ti_am65_cpsw_nuss]
am65_cpsw_nuss_remove+0x58/0xf8 [ti_am65_cpsw_nuss]
```
- The crash happens in `phy_stop()`, which is called from `phylink_stop()`, which is called from the driver’s `ndo_stop` callback (`am65_cpsw_nuss_ndo_slave_stop`). - This is during **device removal** (`am65_cpsw_nuss_remove`), so the network device is being unregistered.
#### 2. **Register State** - `x0 = 0x0004000800000200` — likely a pointer or flag. - `x1 = 0x0000000000000000` — null pointer? - `x17 = 0xffff800076c45000` — likely the faulting instruction address. - `x16 = 0xffff800008004000` — possibly a function pointer or base address.
The fact that `x1` is zero and the crash is in `phy_stop` suggests a **null pointer dereference** or **use-after-free**.
---
### ???? Likely Causes
#### ✅ 1. **Use-After-Free or Null Pointer in PHY/Phylink** - During `am65_cpsw_nuss_remove`, the driver may be calling `phylink_stop()` on a PHY or phylink structure that has already been freed or not properly initialized. - If the PHY was detached or freed earlier, but `phylink_stop()` still tries to access it, this can cause a crash.
#### ✅ 2. **Race Condition** - If the PHY or network device is being stopped concurrently (e.g., by another thread or interrupt), there might be a race condition leading to inconsistent state.
#### ✅ 3. **Improper Cleanup Order** - The driver might not be cleaning up the PHY/phylink in the correct order before unregistering the netdev. - For example, if `phylink_stop()` is called after the PHY structure is freed, it will crash.
#### ✅ 4. **Missing Error Handling** - If `phylink_create()` or similar failed earlier, but the driver didn’t check for errors, it might proceed with a null or invalid phylink pointer.
---
### ????️ How to Debug & Fix
#### 1. **Check for Null Pointers** - Add debug prints or use `kptr_restrict` to resolve kernel pointers. - In `am65_cpsw_nuss_ndo_slave_stop()`, check if the `phylink` or `phy` pointer is valid before calling `phylink_stop()`.
Example: ```c if (!priv->phylink) {
dev_err(dev, "phylink is NULL, skipping stop\n"); return; } phylink_stop(priv->phylink); ```
#### 2. **Ensure Proper Cleanup Order** - Make sure that in `am65_cpsw_nuss_remove()`, you: 1. Stop the PHY/phylink. 2. Unregister the netdev. 3. Free resources.
Correct order:
If you want to get the best quality for vulnerability data then you always have to consider VulDB.