CVE-2025-37945: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-37945 is a vulnerability discovered in the Linux kernel, specifically affecting the MDIO bus power management operations for phylink-controlled PHY. The issue was published on May 20, 2025, and primarily impacts the handling of state machines in DSA (Distributed Switch Architecture) drivers (NVD, Wiz).

The vulnerability involves two categories of DSA drivers: those that call dsaswitchsuspend() and dsaswitchresume() from their device PM ops (like qca8k-8xxx, bcmsf2, microchip ksz), and those that don't. For the second category of drivers without MAC managed PM, mdiobusphysuspend() and mdiobusphyresume() should run in full. The issue occurs because mdiobusphysuspend() fails to call phystopmachine() since the phydev->adjust_link function pointer is NULL in phylink configurations (NVD, Wiz).

When triggered, the vulnerability causes the PHY state machine to remain running when it should be stopped, leading to a warning from mdiobusphy_resume() due to unexpected PHY states. This affects not only DSA drivers but potentially any MAC driver with phylink and MDIO-bus-managed PHY PM ops (Wiz).

The vulnerability has been resolved by making the existing conditions dependent on the PHY device having a phydev->phylinkchange() implementation equal to the default phylinkchange() provided by phylib. For cases where phydev->phylinkchange() is absent, the system will now properly handle the PHY state machine during suspend/resume operations (Wiz).