Re: [PATCH] wifi: virt_wifi: remove SET_NETDEV_DEV to avoid use-after-free

Next message: Eric Dumazet: "Re: [PATCH net-next v3 0/3] tcp: fix scaled no-shrink rwnd quantization slack"
Previous message: Claudio Imbrenda: "[PATCH v4 08/10] KVM: s390: vsie: Fix unshadowing while shadowing"
In reply to: Greg KH: "Re: [PATCH] wifi: virt_wifi: remove SET_NETDEV_DEV to avoid use-after-free"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Alexander Popov

Date: Wed Mar 25 2026 - 13:33:06 EST

On 3/25/26 15:34, Andrew Lunn wrote:

On Wed, Mar 25, 2026 at 01:46:02AM +0300, Alexander Popov wrote:

Currently we execute `SET_NETDEV_DEV(dev, &priv->lowerdev->dev)` for
the virt_wifi net devices. However, unregistering a virt_wifi device in
netdev_run_todo() can happen together with the device referenced by
SET_NETDEV_DEV().

It can result in use-after-free during the ethtool operations performed
on a virt_wifi device that is currently being unregistered. Such a net
device can have the `dev.parent` field pointing to the freed memory,
but ethnl_ops_begin() calls `pm_runtime_get_sync(dev->dev.parent)`.

Let's remove SET_NETDEV_DEV for virt_wifi to avoid bugs like this:

Did you have a look at all user of SET_NETDEV_DEV() to see if there
are other examples of the same bug?

What i found was:

https://elixir.bootlin.com/linux/v6.19.9/source/drivers/net/ethernet/mellanox/mlx4/en_netdev.c#L3180

Does this have the same problem?

Andrew, I can't say about this particular net device. Looks like it refers to a specific ethernet adapter.

How can we distinguish security-relevant bugs similar to this use-after-free:
an unprivileged user must be able to create a given net device via user namespaces.

As I mentioned, applying this fix in ethtool could help against them:
https://lore.kernel.org/all/20260322075917.254874-1-alex.popov@xxxxxxxxx/T/#u

Best regards,
Alexander