From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-oi1-f199.google.com (mail-oi1-f199.google.com [209.85.167.199]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id ABFB43F58F5 for ; Thu, 18 Jun 2026 13:12:24 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.199 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781788348; cv=none; b=g9GNJKBXhWYgZuvZETg6B1uvdC87ZQbERWM/4Pk9jllHRwvJGlzE1TwIyRMeG6Qjm6sqazc7vL8vKBnUHAsCDCMKW8cdwZVVyQoMgC1inFHnWBnpfINk2WuA76bIRjVS1YcW5yUlfZukEQsgHBtkQbPFo/uClt0opRjr1oso22g= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781788348; c=relaxed/simple; bh=WOPkhHz2vjSA+gin29dUl+PHWLObzpBi8Ch96PXf0UQ=; h=MIME-Version:Date:In-Reply-To:Message-ID:Subject:From:To: Content-Type; b=EOghipoSS7ekubuCKkQIq0iLJrEiTR4IUJEO9LXDQOuS1idV1/fOoRqTxyX01I/If+L15SMU0QDaFcQdRxITXgSpfy9nFuq9DCFQo8hH9k/fSO2kb6f7KpyfdD0Sfrh6zx4ezuP6zlU4rZl8YISrrRUHiAPlWwgl9HcU2KF7CHQ= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com; arc=none smtp.client-ip=209.85.167.199 Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com Received: by mail-oi1-f199.google.com with SMTP id 5614622812f47-486055c1c6fso1055517b6e.1 for ; Thu, 18 Jun 2026 06:12:24 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1781788343; x=1782393143; h=to:from:subject:message-id:in-reply-to:date:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=oLWSG/Pn6gkyZkq2r0JniT9Y0SwPQAcUFb4MlwMGh7s=; b=aeS4HH4Kg5du3/k5ii4lXI54bciJXQtLJqbeP1DTGvcaeCZjL0qvpidZ4Hf0zGE+w/ gduDRI+DEwZXt5pmT9ZCUeVSRtf1gbVQbC/bMl7dppGO32pb//LMCkCuKLvttcaF4jyX owGEDF3U6MeawU1BksQfj2jOcJoLoGNSZWbfjLI7IgFFuT4iX6c0eF8DSO3Mp5L1luAe CygTkJLN1dcM72R1Yscyu4dVoY0zex+uEUkCsk5zn4MaluYYa3PMC3HtBrwL3ltjcYuE o3f0N1PtwLvcJvkzv9ESo5y/ZMrrflIyAfS6nbuTXT0T2ddIBYsxn1hsiOfQ2Mv62Shq +4Yw== X-Gm-Message-State: AOJu0YzR0/vaCB8X81X5saQjExujvsJahg/JJQeVekfe0QpvC6Nadmnv wbyCjHJodvm65FN8qeKZDsSfzTT9CUo0YitFnb94wimGbVoOiH4rpWjR8RkDgQaXld4WutSSOQw 5tpC6aFOn2KYvBaF+W18e3jytfnG/ObrHAw6KijFrgiISXv+/8EJiIWpoKl4= Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Received: by 2002:a05:6808:1188:b0:487:530f:5754 with SMTP id 5614622812f47-4894460a9b7mr5911033b6e.20.1781788343515; Thu, 18 Jun 2026 06:12:23 -0700 (PDT) Date: Thu, 18 Jun 2026 06:12:23 -0700 In-Reply-To: <6a32e8e7.9e4c924b.10726f.0023.GAE@google.com> X-Google-Appengine-App-Id: s~syzkaller X-Google-Appengine-App-Id-Alias: syzkaller Message-ID: <6a33eeb7.5beeccc9.ebf17.0001.GAE@google.com> Subject: Forwarded: [PATCH] netdevsim: fix use-after-free in __nsim_dev_port_del From: syzbot To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Content-Type: text/plain; charset="UTF-8" For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: [PATCH] netdevsim: fix use-after-free in __nsim_dev_port_del Author: hrushirajg23@gmail.com #syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master debugfs files created under a port's ddir (ethtool/get_err, ethtool/set_err, ring params, bpf_offloaded_id, udp_ports/inject_error, etc.) store raw pointers directly into the netdevsim struct, which lives in the net_device private data kmalloc slab. If these files outlive the netdevsim struct, a concurrent reader can trigger a slab-use-after-free by passing debugfs_file_get() (which only checks dentry lifetime) and then dereferencing the freed data pointer in debugfs_u32_get(). In __nsim_dev_port_del(), nsim_destroy() is called before nsim_dev_port_debugfs_exit(). However, nsim_destroy() calls free_netdev() at its end, while nsim_dev_port_debugfs_exit() removes the port's debugfs directory. This means the slab is freed before the debugfs files are removed. Fix by calling debugfs_remove_recursive(ns->nsim_dev_port->ddir) in nsim_destroy() right before free_netdev(). This ensures all per-port debugfs files are destroyed synchronously before the backing memory is freed. The subsequent call to nsim_dev_port_debugfs_exit() in __nsim_dev_port_del() becomes a harmless no-op. Reported-by: syzbot+6c25f4750230faf70be9@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=6c25f4750230faf70be9 Fixes: e05b2d141fef ("netdevsim: move netdev creation/destruction to dev probe") Signed-off-by: Hrushiraj Gandhi --- drivers/net/netdevsim/netdev.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/drivers/net/netdevsim/netdev.c b/drivers/net/netdevsim/netdev.c index a750768912b5..e2d714673c2d 100644 --- a/drivers/net/netdevsim/netdev.c +++ b/drivers/net/netdevsim/netdev.c @@ -1213,6 +1213,23 @@ void nsim_destroy(struct netdevsim *ns) ns->page = NULL; } + /* + * Remove all per-port debugfs files before free_netdev() releases + * the netdevsim struct. Files like ethtool/get_err, bpf_offloaded_id, + * etc. store raw pointers into ns (netdev_priv data inside the + * net_device slab). A concurrent reader with the file open could pass + * debugfs_file_get() and then dereference freed memory if these files + * outlive free_netdev(). debugfs_remove_recursive() on the parent ddir + * handles this atomically; the subsequent nsim_dev_port_debugfs_exit() + * call in __nsim_dev_port_del() becomes a harmless no-op. + * + * The three explicitly tracked dentries (vlan_dfs, qr_dfs, pp_dfs) + * are children of ddir and are covered by the recursive removal below, + * so their individual debugfs_remove() calls become no-ops too. + */ + debugfs_remove_recursive(ns->nsim_dev_port->ddir); + ns->nsim_dev_port->ddir = NULL; + free_netdev(dev); } -- 2.47.3