{"id":"CVE-2025-39915","summary":"net: phy: transfer phy_config_inband() locking responsibility to phylink","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phy: transfer phy_config_inband() locking responsibility to phylink\n\nProblem description\n===================\n\nLockdep reports a possible circular locking dependency (AB/BA) between\n&pl-\u003estate_mutex and &phy-\u003elock, as follows.\n\nphylink_resolve() // acquires &pl-\u003estate_mutex\n-\u003e phylink_major_config()\n   -\u003e phy_config_inband() // acquires &pl-\u003ephydev-\u003elock\n\nwhereas all the other call sites where &pl-\u003estate_mutex and\n&pl-\u003ephydev-\u003elock have the locking scheme reversed. Everywhere else,\n&pl-\u003ephydev-\u003elock is acquired at the top level, and &pl-\u003estate_mutex at\nthe lower level. A clear example is phylink_bringup_phy().\n\nThe outlier is the newly introduced phy_config_inband() and the existing\nlock order is the correct one. To understand why it cannot be the other\nway around, it is sufficient to consider phylink_phy_change(), phylink's\ncallback from the PHY device's phy-\u003ephy_link_change() virtual method,\ninvoked by the PHY state machine.\n\nphy_link_up() and phy_link_down(), the (indirect) callers of\nphylink_phy_change(), are called with &phydev-\u003elock acquired.\nThen phylink_phy_change() acquires its own &pl-\u003estate_mutex, to\nserialize changes made to its pl-\u003ephy_state and pl-\u003elink_config.\nSo all other instances of &pl-\u003estate_mutex and &phydev-\u003elock must be\nconsistent with this order.\n\nProblem impact\n==============\n\nI think the kernel runs a serious deadlock risk if an existing\nphylink_resolve() thread, which results in a phy_config_inband() call,\nis concurrent with a phy_link_up() or phy_link_down() call, which will\ndeadlock on &pl-\u003estate_mutex in phylink_phy_change(). Practically\nspeaking, the impact may be limited by the slow speed of the medium\nauto-negotiation protocol, which makes it unlikely for the current state\nto still be unresolved when a new one is detected, but I think the\nproblem is there. Nonetheless, the problem was discovered using lockdep.\n\nProposed solution\n=================\n\nPractically speaking, the phy_config_inband() requirement of having\nphydev-\u003elock acquired must transfer to the caller (phylink is the only\ncaller). There, it must bubble up until immediately before\n&pl-\u003estate_mutex is acquired, for the cases where that takes place.\n\nSolution details, considerations, notes\n=======================================\n\nThis is the phy_config_inband() call graph:\n\n                          sfp_upstream_ops :: connect_phy()\n                          |\n                          v\n                          phylink_sfp_connect_phy()\n                          |\n                          v\n                          phylink_sfp_config_phy()\n                          |\n                          |   sfp_upstream_ops :: module_insert()\n                          |   |\n                          |   v\n                          |   phylink_sfp_module_insert()\n                          |   |\n                          |   |   sfp_upstream_ops :: module_start()\n                          |   |   |\n                          |   |   v\n                          |   |   phylink_sfp_module_start()\n                          |   |   |\n                          |   v   v\n                          |   phylink_sfp_config_optical()\n phylink_start()          |   |\n   |   phylink_resume()   v   v\n   |   |  phylink_sfp_set_config()\n   |   |  |\n   v   v  v\n phylink_mac_initial_config()\n   |   phylink_resolve()\n   |   |  phylink_ethtool_ksettings_set()\n   v   v  v\n   phylink_major_config()\n            |\n            v\n    phy_config_inband()\n\nphylink_major_config() caller #1, phylink_mac_initial_config(), does not\nacquire &pl-\u003estate_mutex nor do its callers. It must acquire\n&pl-\u003ephydev-\u003elock prior to calling phylink_major_config().\n\nphylink_major_config() caller #2, phylink_resolve() acquires\n&pl-\u003estate_mutex, thus also needs to acquire &pl-\u003ephydev-\u003elock.\n\nphylink_major_config() caller #3, phylink_ethtool_ksettings_set(), is\ncompletely uninteresting, because it only call\n---truncated---","modified":"2026-04-02T12:48:12.600174Z","published":"2025-10-01T07:44:37.884Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/39xxx/CVE-2025-39915.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/052ac41c379c8b87629808be612a482b2d0ae283"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e2a10daba84968f6b5777d150985fd7d6abc9c84"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/39xxx/CVE-2025-39915.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-39915"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"5fd0f1a02e750e2db4038dee60edea669ce5aab1"},{"fixed":"052ac41c379c8b87629808be612a482b2d0ae283"},{"fixed":"e2a10daba84968f6b5777d150985fd7d6abc9c84"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-39915.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}