From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-oi1-f200.google.com (mail-oi1-f200.google.com [209.85.167.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 076152F2910 for ; Thu, 18 Jun 2026 07:40:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.200 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781768420; cv=none; b=G9WttHkwnf+cnNhcfgkCAXvNFpZEfurMN1PEnEYYZHI0YyA0UNpFw6CLF0PUJs5SKMKRj8VG46gF69+2zryYQ8ecJ+NXsQWOA1nwiX+lwPoHrBaOZTcdTglHXIVFLJvQZMmNLPi0QHM9qYSoHjQp1rWTKezyiVhOpq11sd/LfSQ= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781768420; c=relaxed/simple; bh=L6Ww0TKAzFrz99BfhRebdMeRmEC94xJC1oyMZYx2A6w=; h=MIME-Version:Date:In-Reply-To:Message-ID:Subject:From:To: Content-Type; b=Th8eRZxeLMqt9gXN8GqC7ul+divJPMQ1Y1W5uESJICscPe1+zTkE7ozA/7j4s54bnjWehiSYPmlFrnV5Yqedvl3dalY2UpdrmaMVzMp1Ua0pL3Bo/moyTnpgctuZ57kHygAQp9OdeyWwjoZuCcIFSJxfMJWO5jmI9SIYt/6s69A= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com; arc=none smtp.client-ip=209.85.167.200 Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com Received: by mail-oi1-f200.google.com with SMTP id 5614622812f47-486a2a910efso1345094b6e.2 for ; Thu, 18 Jun 2026 00:40:18 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1781768418; x=1782373218; h=to:from:subject:message-id:in-reply-to:date:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=ckG5dGbhVtN0bULfGE0+z+XsH2fwLgGPQzm1by1kllc=; b=Gu2bek7ZkYEEKBYKqkzMOHw/Uu9lSnx10W/C4cY2HG7h0go+4rXDORoukORnWeOu5Q Hbwcbb1nszIkoCn8X9pcW2QRqQz5gzD4/XE03bMrUHpoNLnaHRqy3ThJN12QeCrVqtbH MzEQU+XFH2isDpv69tW45r60o8IuhujF+7Tv2xhgtftUvC2wj7n5eKQAz8KOob+b8sL8 q+RW9ARYUUOSaLCiRhCPGCWo63NhOtE8KfMhEJuBbav2gdPtGGJCgST3+ZzGy65VBhVB yMyoqVSGhChPk5JSGtA+haAeQ3dYqRRNjNatBsAJXY6lNzm50BHkq5axGAH6JOzsBPT9 kGXA== X-Gm-Message-State: AOJu0YyxEtrnZPKm8ROJe2o5XJWu7CmXqKUSM9X6EllIX8VKudgJk5ZN CT5ES76c/LFD6zZ5Xl37gY7Xbe1tGOKtlClhhcPi4iEqt9fRxxocjHAgnSxF+xRo08JLv+rHru7 3XtVVUYyxPlQB3AhBRhSq4UkdaIg/dn2fj+FGUqh+UJZAOq5pSbkgmJomsuU= Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Received: by 2002:a05:6808:1a03:b0:485:4443:dbed with SMTP id 5614622812f47-489428537ecmr6626440b6e.8.1781768418007; Thu, 18 Jun 2026 00:40:18 -0700 (PDT) Date: Thu, 18 Jun 2026 00:40:17 -0700 In-Reply-To: <6a32e8e7.9e4c924b.10726f.0023.GAE@google.com> X-Google-Appengine-App-Id: s~syzkaller X-Google-Appengine-App-Id-Alias: syzkaller Message-ID: <6a33a0e1.d85dbdf7.1299fc.0007.GAE@google.com> Subject: Forwarded: netdevsim: fix use-after-free in __nsim_dev_port_del From: syzbot To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Content-Type: text/plain; charset="UTF-8" For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: netdevsim: fix use-after-free in __nsim_dev_port_del Author: hrushirajg23@gmail.com #syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master >From b3aa94bf5977395e788b457e3bb073c2b7f4580d Mon Sep 17 00:00:00 2001 From: Hrushiraj Gandhi Date: Thu, 18 Jun 2026 13:03:56 +0530 Subject: [PATCH] netdevsim: fix use-after-free in __nsim_dev_port_del debugfs files created under a port's ddir (ethtool/get_err, ethtool/set_err, ring params, bpf_offloaded_id, udp_ports/inject_error, etc.) store raw pointers directly into the netdevsim struct, which lives in the net_device private data kmalloc slab. In __nsim_dev_port_del(), nsim_destroy() was called before nsim_dev_port_debugfs_exit(), meaning free_netdev() freed the netdevsim slab while debugfs files still held live pointers into it. A concurrent reader with the file already open could pass debugfs_file_get(), then dereference the freed pointer in debugfs_u32_get(), triggering a slab-use-after-free. Fix by calling nsim_dev_port_debugfs_exit() first, so debugfs_remove_recursive() tears down the entire port ddir subtree (invalidating all stale data pointers) before free_netdev() releases the backing memory. Reported-by: syzbot+6c25f4750230faf70be9@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=6c25f4750230faf70be9 Fixes: e05b2d141fef ("netdevsim: move netdev creation/destruction to dev probe") Signed-off-by: Hrushiraj Gandhi --- drivers/net/netdevsim/dev.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/netdevsim/dev.c b/drivers/net/netdevsim/dev.c index f00fc2f9ebde..77417dd0f752 100644 --- a/drivers/net/netdevsim/dev.c +++ b/drivers/net/netdevsim/dev.c @@ -1544,8 +1544,8 @@ static void __nsim_dev_port_del(struct nsim_dev_port *nsim_dev_port) list_del(&nsim_dev_port->list); if (nsim_dev_port_is_vf(nsim_dev_port)) devl_rate_leaf_destroy(&nsim_dev_port->devlink_port); - nsim_destroy(nsim_dev_port->ns); nsim_dev_port_debugfs_exit(nsim_dev_port); + nsim_destroy(nsim_dev_port->ns); if (nsim_dev_port_is_pf(nsim_dev_port)) devl_port_resources_unregister(devlink_port); devl_port_unregister(devlink_port); -- 2.47.3