CVE-2026-23368

In the Linux kernel, the following vulnerability has been resolved:

net: phy: register phy led_triggers during probe to avoid AB-BA deadlock

There is an AB-BA deadlock when both LEDSTRIGGERNETDEV and LEDTRIGGERPHY are enabled:

[ 1362.049207] [<8054e4b8>] ledtriggerregister+0x5c/0x1fc <-- Trying to get lock "triggerslistlock" via downwrite(&triggerslistlock); [ 1362.054536] [<80662830>] phyledtriggersregister+0xd0/0x234 [ 1362.060329] [<8065e200>] phyattachdirect+0x33c/0x40c [ 1362.065489] [<80651fc4>] phylinkfwnodephyconnect+0x15c/0x23c [ 1362.071480] [<8066ee18>] mtkopen+0x7c/0xba0 [ 1362.075849] [<806d714c>] __dev_open+0x280/0x2b0 [ 1362.080384] [<806d7668>] __devchangeflags+0x244/0x24c [ 1362.085598] [<806d7698>] devchangeflags+0x28/0x78 [ 1362.090528] [<807150e4>] devioctl+0x4c0/0x654 <-- Hold lock "rtnlmutex" by calling rtnllock(); [ 1362.094985] [<80694360>] sockioctl+0x2f4/0x4e0 [ 1362.099567] [<802e9c4c>] sysioctl+0x32c/0xd8c [ 1362.104022] [<80014504>] syscallcommon+0x34/0x58

Here LEDTRIGGERPHY is registering LED triggers during phyattach while holding RTNL and then taking triggerslist_lock.

[ 1362.191101] [<806c2640>] registernetdevicenotifier+0x60/0x168 <-- Trying to get lock "rtnlmutex" via rtnllock(); [ 1362.197073] [<805504ac>] netdevtrigactivate+0x194/0x1e4 [ 1362.202490] [<8054e28c>] ledtriggerset+0x1d4/0x360 <-- Hold lock "triggerslistlock" by downread(&triggerslistlock); [ 1362.207511] [<8054eb38>] ledtriggerwrite+0xd8/0x14c [ 1362.212566] [<80381d98>] sysfskfbinwrite+0x80/0xbc [ 1362.217688] [<8037fcd8>] kernfsfopwriteiter+0x17c/0x28c [ 1362.223174] [<802cbd70>] vfswrite+0x21c/0x3c4 [ 1362.227712] [<802cc0c4>] ksyswrite+0x78/0x12c [ 1362.232164] [<80014504>] syscallcommon+0x34/0x58

Here LEDSTRIGGERNETDEV is being enabled on an LED. It first takes triggerslistlock and then RTNL. A classical AB-BA deadlock.

phyledtriggersregisters() does not require the RTNL, it does not make any calls into the network stack which require protection. There is also no requirement the PHY has been attached to a MAC, the triggers only make use of phydev state. This allows the call to phyledtriggersregisters() to be placed elsewhere. PHY probe() and release() don't hold RTNL, so solving the AB-BA deadlock.