Re: [PATCH] ethtool: don't touch the parent device of a net device being unregistered

[Alexander Popov]

On 25 March 2026 03:46:20 GMT+09:00, Alexander Popov <alex.popov@xxxxxxxxx> wrote:
>On 3/24/26 01:08, Jakub Kicinski wrote:
>> On Mon, 23 Mar 2026 02:08:53 +0300 Alexander Popov wrote:
>>> Hello Andrew, let me describe the scenario that I see:
>>> 
>>>    - The netdev_run_todo() function handles the net devices in net_todo_list
>>>      in a loop and moves each of them into the NETREG_UNREGISTERED state:
>>>        netdev_lock(dev);
>>>        WRITE_ONCE(dev->reg_state, NETREG_UNREGISTERED);
>>>        netdev_unlock(dev);
>>> 
>>>    - Then netdev_run_todo() frees these net devices in another loop.
>>>      On each iteration, it chooses a device for freeing:
>>>        dev = netdev_wait_allrefs_any(&list);
>>> 
>>>    - At the same time, the ethnl_set_features() function calls
>>>      ethnl_parse_header_dev_get() for the child net device.
>>> 
>>>    - If the race condition succeeds, ethnl_set_features() takes the reference
>>>      to the child net device being unregistered. That makes netdev_run_todo()
>>>      free the parent first.
>> 
>> That's not sufficient detail. ethnl_parse_header_dev_get() is under RCU
>> and unregistration does an RCU sync after delisting the device. Also
>> not sure you're distinguishing struct net_device and struct device.
>> 
>> How did you hit this issue? What are the net devices involved?
>
>I've provided additional details about the reproducer of this vulnerability to Jakub and to security@xxxxxxxxxx.

Hello! May I ask about the decision on this patch?

At patchwork.kernel.org, it is marked as "Changes Requested":
<https://patchwork.kernel.org/project/netdevbpf/patch/20260322075917.254874-1-alex.popov@xxxxxxxxx/>

However, I don't have any instructions on what to change in it.

Thanks!
Alexander