Re: [PATCH] ethtool: don't touch the parent device of a net device being unregistered

Next message: zhidao su: "[PATCH] docs: Raise minimum pahole version to 1.26 for KF_IMPLICIT_ARGS kfuncs"
Previous message: Andy Roulin: "[PATCH net-next 1/3] net: bridge: add stp_mode attribute for STP mode selection"
Next in thread: Alexander Popov: "Re: [PATCH] ethtool: don't touch the parent device of a net device being unregistered"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Alexander Popov

Date: Tue Mar 24 2026 - 14:51:28 EST

On 3/24/26 01:08, Jakub Kicinski wrote:

On Mon, 23 Mar 2026 02:08:53 +0300 Alexander Popov wrote:

Hello Andrew, let me describe the scenario that I see:

- The netdev_run_todo() function handles the net devices in net_todo_list
in a loop and moves each of them into the NETREG_UNREGISTERED state:
netdev_lock(dev);
WRITE_ONCE(dev->reg_state, NETREG_UNREGISTERED);
netdev_unlock(dev);

- Then netdev_run_todo() frees these net devices in another loop.
On each iteration, it chooses a device for freeing:
dev = netdev_wait_allrefs_any(&list);

- At the same time, the ethnl_set_features() function calls
ethnl_parse_header_dev_get() for the child net device.

- If the race condition succeeds, ethnl_set_features() takes the reference
to the child net device being unregistered. That makes netdev_run_todo()
free the parent first.

That's not sufficient detail. ethnl_parse_header_dev_get() is under RCU
and unregistration does an RCU sync after delisting the device. Also
not sure you're distinguishing struct net_device and struct device.

How did you hit this issue? What are the net devices involved?

I've provided additional details about the reproducer of this vulnerability to Jakub and to security@xxxxxxxxxx.

Best regards,
Alexander