Re: [PATCH] wifi: virt_wifi: remove SET_NETDEV_DEV to avoid use-after-free

Next message: Guenter Roeck: "Re: [PATCH v2] hwmon: (adm1177) fix sysfs ABI violation and current unit conversion"
Previous message: Jeff Chen: "Re: [PATCH v10 00/21] wifi: nxpwifi: create nxpwifi to support"
In reply to: Andrew Lunn: "Re: [PATCH] wifi: virt_wifi: remove SET_NETDEV_DEV to avoid use-after-free"
Next in thread: Alexander Popov: "Re: [PATCH] wifi: virt_wifi: remove SET_NETDEV_DEV to avoid use-after-free"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Greg KH

Date: Wed Mar 25 2026 - 09:56:18 EST

On Wed, Mar 25, 2026 at 01:34:43PM +0100, Andrew Lunn wrote:
> On Wed, Mar 25, 2026 at 01:46:02AM +0300, Alexander Popov wrote:
> > Currently we execute `SET_NETDEV_DEV(dev, &priv->lowerdev->dev)` for
> > the virt_wifi net devices. However, unregistering a virt_wifi device in
> > netdev_run_todo() can happen together with the device referenced by
> > SET_NETDEV_DEV().
> >
> > It can result in use-after-free during the ethtool operations performed
> > on a virt_wifi device that is currently being unregistered. Such a net
> > device can have the `dev.parent` field pointing to the freed memory,
> > but ethnl_ops_begin() calls `pm_runtime_get_sync(dev->dev.parent)`.
> >
> > Let's remove SET_NETDEV_DEV for virt_wifi to avoid bugs like this:
>
> Did you have a look at all user of SET_NETDEV_DEV() to see if there
> are other examples of the same bug?
>
> What i found was:
>
> https://elixir.bootlin.com/linux/v6.19.9/source/drivers/net/ethernet/mellanox/mlx4/en_netdev.c#L3180
>
> Does this have the same problem?

That's not pointing to the "parent" device, but rather the actual device
under operation from what I can tell. Or am I mistaking what "pdev"
means here? Isn't that the pci device the driver is bound to?

thanks,

greg k-h