CVE-2022-49350

Source
https://nvd.nist.gov/vuln/detail/CVE-2022-49350
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-49350.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-49350
Downstream
Related
Published
2025-02-26T07:01:11Z
Modified
2025-09-22T20:29:16Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

net: mdio: unexport _init-annotated mdiobus_init()

EXPORTSYMBOL and _init is a bad combination because the .init.text section is freed up after the initialization. Hence, modules cannot use symbols annotated __init. The access to a freed symbol may end up with kernel panic.

modpost used to detect it, but it has been broken for a decade.

Recently, I fixed modpost so it started to warn it again, then this showed up in linux-next builds.

There are two ways to fix it:

  • Remove __init
  • Remove EXPORT_SYMBOL

I chose the latter for this case because the only in-tree call-site, drivers/net/phy/phydevice.c is never compiled as modular. (CONFIGPHYLIB is boolean)

References

Affected packages