CVE-2025-40120
Description
In the Linux kernel, the following vulnerability has been resolved:
net: usb: asix: hold PM usage ref to avoid PM/MDIO + RTNL deadlock
Prevent USB runtime PM (autosuspend) for AX88772* in bind.
usbnet enables runtime PM (autosuspend) by default, so disabling it via the usb_driver flag is ineffective. On AX88772B, autosuspend shows no measurable power saving with current driver (no link partner, admin up/down). The ~0.453 W -> ~0.248 W drop on v6.1 comes from phylib powering the PHY off on admin-down, not from USB autosuspend.
The real hazard is that with runtime PM enabled, ndo_open() (under RTNL) may synchronously trigger autoresume (usb_autopm_get_interface()) into asix_resume() while the USB PM lock is held. Resume paths then invoke phylink/phylib and MDIO, which also expect RTNL, leading to possible deadlocks or PM lock vs MDIO wake issues.
To avoid this, keep the device runtime-PM active by taking a usage reference in ax88772_bind() and dropping it in unbind(). A non-zero PM usage count blocks runtime suspend regardless of userspace policy (.../power/control - pm_runtime_allow/forbid), making this approach robust against sysfs overrides.
Holding a runtime-PM usage ref does not affect system-wide suspend; system sleep/resume callbacks continue to run as before.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A Linux kernel USB Ethernet driver (asix) fails to prevent runtime PM autosuspend, creating a PM/MDIO + RTNL deadlock risk.
In the Linux kernel's AX88772(A/B) USB Ethernet driver (asix), the usbnet infrastructure enables USB runtime PM (autosuspend) by default. The driver's flag to disable autosuspend is ineffective, so the device may spontaneously suspend during operation. This creates a risk when ndo_open() (called under RTNL) triggers an autoresume into asix_resume() while the USB PM lock is held, leading to a deadlock as phylink/phylib and MDIO operations in the resume path also expect RTNL. [1]
To exploit this bug, an attacker would need to influence the timing of a network interface open (admin up) or rely on autosuspend occurring naturally. No special privileges beyond the ability to manage network interfaces are required, but on many systems the vulnerability can be triggered during normal operation without deliberate action. The core issue is that the PM usage count is not incremented during ax88772_bind(), allowing runtime suspend to proceed. [2]
The deadlock can cause the system to hang, resulting in a denial of service. In environments where the network interface is critical, this could lead to persistent service disruption until a reboot. No remote code execution or data leakage is expected from this vulnerability alone; it is a lock-ordering problem confined to kernel synchronization primitives. [1][2]
The fix, already applied to the Linux kernel stable branches, increments the PM usage reference in ax88772_bind() and drops it in unbind(), preventing runtime suspend regardless of sysfs settings. System-wide (suspend-to-RAM) sleep is unaffected. Users should update their kernel to include commit 71a0ba7fdaf8 or equivalent backport. [1][2]
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
671a0ba7fdaf83e96cd27ff1a724a9db841881534517300e19d8bcaf6fae13d3c4cd5c62fVulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- git.kernel.org/stable/c/1534517300e12f2930b6ff477b8820ff658afd11nvd
- git.kernel.org/stable/c/3d3c4cd5c62f24bb3cb4511b7a95df707635e00anvd
- git.kernel.org/stable/c/3e96cd27ff1a004d84908c1b6cc68ac60913874envd
- git.kernel.org/stable/c/71a0ba7fdaf8d035426912a4ed7bf1738a81010cnvd
- git.kernel.org/stable/c/724a9db84188f80ef60b1f21cc7b4e9c84e0cb64nvd
- git.kernel.org/stable/c/9d8bcaf6fae1bd82bc27ec09a2694497e6f6c4b4nvd
News mentions
0No linked articles in our index yet.