CVE-2025-21921

In the Linux kernel, the following vulnerability has been resolved:

net: ethtool: netlink: Allow NULL nlattrs when getting a phy_device

ethnlreqgetphydev() is used to lookup a phydevice, in the case an ethtool netlink command targets a specific phydev within a netdev's topology.

It takes as a parameter a const struct nlattr *header that's used for error handling :

   if (!phydev) {
           NL_SET_ERR_MSG_ATTR(extack, header,
                               "no phy matching phyindex");
           return ERR_PTR(-ENODEV);
   }

In the notify path after a ->set operation however, there's no request attributes available.

The typical callsite for the above function looks like:

phydev = ethnl_req_get_phydev(req_base, tb[ETHTOOL_A_XXX_HEADER],
                  info->extack);

So, when tb is NULL (such as in the ethnl notify path), we have a nice crash.

It turns out that there's only the PLCA command that is in that case, as the other phydev-specific commands don't have a notification.

This commit fixes the crash by passing the cmd index and the nlattr array separately, allowing NULL-checking it directly inside the helper.