Re: [PATCH] ethtool: don't touch the parent device of a net device being unregistered

Next message: Bjorn Helgaas: "Re: [PATCH v1] PCI: imx6: Add force_suspend flag to override L1SS suspend skip"
Previous message: Samiullah Khawaja: "Re: [PATCH 13/14] vfio/pci: Preserve the iommufd state of the vfio cdev"
In reply to: Alexander Popov: "Re: [PATCH] ethtool: don't touch the parent device of a net device being unregistered"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jakub Kicinski

Date: Mon Mar 23 2026 - 18:08:35 EST

On Mon, 23 Mar 2026 02:08:53 +0300 Alexander Popov wrote:
> Hello Andrew, let me describe the scenario that I see:
>
> - The netdev_run_todo() function handles the net devices in net_todo_list
> in a loop and moves each of them into the NETREG_UNREGISTERED state:
> netdev_lock(dev);
> WRITE_ONCE(dev->reg_state, NETREG_UNREGISTERED);
> netdev_unlock(dev);
>
> - Then netdev_run_todo() frees these net devices in another loop.
> On each iteration, it chooses a device for freeing:
> dev = netdev_wait_allrefs_any(&list);
>
> - At the same time, the ethnl_set_features() function calls
> ethnl_parse_header_dev_get() for the child net device.
>
> - If the race condition succeeds, ethnl_set_features() takes the reference
> to the child net device being unregistered. That makes netdev_run_todo()
> free the parent first.

That's not sufficient detail. ethnl_parse_header_dev_get() is under RCU
and unregistration does an RCU sync after delisting the device. Also
not sure you're distinguishing struct net_device and struct device.

How did you hit this issue? What are the net devices involved?