Re: [PATCH] wifi: virt_wifi: remove SET_NETDEV_DEV to avoid use-after-free

Next message: Fuad Tabba: "Re: [PATCH v2] KVM: arm64: Prevent the host from using an smc with imm16 != 0"
Previous message: Fernando Fernandez Mancera: "[PATCH 02/11 net-next v5] net: remove EXPORT_IPV6_MOD() and EXPORT_IPV6_MOD_GPL() macros"
In reply to: Breno Leitao: "Re: [PATCH] wifi: virt_wifi: remove SET_NETDEV_DEV to avoid use-after-free"
Next in thread: Greg KH: "Re: [PATCH] wifi: virt_wifi: remove SET_NETDEV_DEV to avoid use-after-free"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Andrew Lunn

Date: Wed Mar 25 2026 - 08:38:36 EST

On Wed, Mar 25, 2026 at 01:46:02AM +0300, Alexander Popov wrote:
> Currently we execute `SET_NETDEV_DEV(dev, &priv->lowerdev->dev)` for
> the virt_wifi net devices. However, unregistering a virt_wifi device in
> netdev_run_todo() can happen together with the device referenced by
> SET_NETDEV_DEV().
>
> It can result in use-after-free during the ethtool operations performed
> on a virt_wifi device that is currently being unregistered. Such a net
> device can have the `dev.parent` field pointing to the freed memory,
> but ethnl_ops_begin() calls `pm_runtime_get_sync(dev->dev.parent)`.
>
> Let's remove SET_NETDEV_DEV for virt_wifi to avoid bugs like this:

Did you have a look at all user of SET_NETDEV_DEV() to see if there
are other examples of the same bug?

What i found was:

https://elixir.bootlin.com/linux/v6.19.9/source/drivers/net/ethernet/mellanox/mlx4/en_netdev.c#L3180

Does this have the same problem?

Andrew