[PATCH] netdevsim: fix use-after-free in __nsim_dev_port_del
From: Hrushiraj Gandhi
Date: Thu Jun 18 2026 - 03:33:56 EST
debugfs files created under a port's ddir (ethtool/get_err,
ethtool/set_err, ring params, bpf_offloaded_id, udp_ports/inject_error,
etc.) store raw pointers directly into the netdevsim struct, which lives
in the net_device private data kmalloc slab.
In __nsim_dev_port_del(), nsim_destroy() was called before
nsim_dev_port_debugfs_exit(), meaning free_netdev() freed the
netdevsim slab while debugfs files still held live pointers into it.
A concurrent reader with the file already open could pass
debugfs_file_get(), then dereference the freed pointer in
debugfs_u32_get(), triggering a slab-use-after-free.
Fix by calling nsim_dev_port_debugfs_exit() first, so
debugfs_remove_recursive() tears down the entire port ddir subtree
(invalidating all stale data pointers) before free_netdev() releases
the backing memory.
Reported-by: syzbot+6c25f4750230faf70be9@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://syzkaller.appspot.com/bug?extid=6c25f4750230faf70be9
Fixes: e05b2d141fef ("netdevsim: move netdev creation/destruction to dev probe")
Signed-off-by: Hrushiraj Gandhi <hrushirajg23@xxxxxxxxx>
---
drivers/net/netdevsim/dev.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/netdevsim/dev.c b/drivers/net/netdevsim/dev.c
index f00fc2f9ebde..77417dd0f752 100644
--- a/drivers/net/netdevsim/dev.c
+++ b/drivers/net/netdevsim/dev.c
@@ -1544,8 +1544,8 @@ static void __nsim_dev_port_del(struct
nsim_dev_port *nsim_dev_port)
list_del(&nsim_dev_port->list);
if (nsim_dev_port_is_vf(nsim_dev_port))
devl_rate_leaf_destroy(&nsim_dev_port->devlink_port);
- nsim_destroy(nsim_dev_port->ns);
nsim_dev_port_debugfs_exit(nsim_dev_port);
+ nsim_destroy(nsim_dev_port->ns);
if (nsim_dev_port_is_pf(nsim_dev_port))
devl_port_resources_unregister(devlink_port);
devl_port_unregister(devlink_port);
--
2.47.3