Re: [PATCH net-next v1] linkwatch: hold dev reference to prevent UAF in __linkwatch_run_queue()

Next message: Yaxiong Tian: "Re: [PATCH v4 5/5] blktrace: Make init_blk_tracer() asynchronous when trace_async_init set"
Previous message: Xingjing Deng: "Re: [PATCH v7] misc: fastrpc: check qcom_scm_assign_mem() return in rpmsg_probe"
In reply to: Jiayuan Chen: "[PATCH net-next v1] linkwatch: hold dev reference to prevent UAF in __linkwatch_run_queue()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jakub Kicinski

Date: Thu Jan 29 2026 - 22:09:34 EST

On Wed, 28 Jan 2026 11:10:07 +0800 Jiayuan Chen wrote:
> Subject: [PATCH net-next v1] linkwatch: hold dev reference to prevent UAF in __linkwatch_run_queue()

please use net rather than net-next for fixes.

> netdev_tracker_free(dev, &dev->linkwatch_dev_tracker);
> spin_unlock_irq(&lweventlist_lock);
> +
> + /*
> + * Hold extra reference to protect netdev_unlock_ops().
> + * linkwatch_do_dev() calls __dev_put() which releases
> + * the linkwatch reference. Without this extra hold,
> + * the device could be freed by netdev_run_todo() before
> + * we call netdev_unlock_ops().
> + */
> + __dev_hold(dev);
> netdev_lock_ops(dev);
> linkwatch_do_dev(dev);
> netdev_unlock_ops(dev);
> + __dev_put(dev);

Please move the dev_put() from inside linkwatch_do_dev() out to its
(3) callers, instead of taking another ref. The dev_put() inside
linkwatch_do_dev() logically pairs with de-listing the device so
it's reasonable for the caller that did the de-listing to do it.
(of course that'll let you move it after the unlock)
--
pw-bot: cr