From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-oo1-f69.google.com (mail-oo1-f69.google.com [209.85.161.69])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 25B4481ACD
	for <linux-kernel@vger.kernel.org>; Thu, 18 Jun 2026 09:01:56 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.161.69
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1781773318; cv=none; b=IBmqPXKGoaUeO1CefkFJhhjfLDR1QOCnJEanil8xGqlbkQSSNUvjgkzVGnWzZGutDMBnf/48U7Wbod5I6rTESgZFY5GmOQUUkFx0LlsJ59hDcHLXSoXBbMigWdipF4aGPCc1lgk2QD4y7Bk6hGMwNMVpyUTjKNT+hBXDiqo/wQM=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1781773318; c=relaxed/simple;
	bh=I25CdvHPqR+66G4oda7GNNFNldPmhvXdMP/Mr9iQohM=;
	h=MIME-Version:Date:In-Reply-To:Message-ID:Subject:From:To:
	 Content-Type; b=oKIo8AVyQM8qMD7M3w7d3Xi5ZTjjaCao1yTel6qbeYPlPqSSHZ7vwy1AyEEmCNdR0erXgUbokKQwqUKugM9cM4+Y4Dl4luNEmGR+eI1PwijzufTRfXd8bHcXQC+6z2vPhIletnBH+fjg6lM73LBu16xN5zO9wyOMLpqfRvFgiv0=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com; arc=none smtp.client-ip=209.85.161.69
Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com
Received: by mail-oo1-f69.google.com with SMTP id 006d021491bc7-69e35fef6bdso413204eaf.3
        for <linux-kernel@vger.kernel.org>; Thu, 18 Jun 2026 02:01:56 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1781773316; x=1782378116;
        h=to:from:subject:message-id:in-reply-to:date:mime-version
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=yLhD42oWakmR5enh8mKvnVbqk2zvBBsMuCWQIzX5HIQ=;
        b=Ojk9DIMxgbeHPrzf7wM3xfxxfMM2zKOBPryCigY2jGs9h9mo/m2yvxXvvusj5sq4Mj
         YDCwyn4qvYO/UYeJuhSA9aEUnAs4G62KZW1YnwYbWgyu/X8/eSVHD62b9aNfC+P9tFuZ
         zTOCIikGy/YTAfUchE7NVx4rcvqmIuQBIPFFi+18f0ONAcOZ3Ur9HwAu2iulvHBa/0Ik
         6undjdRJX5o0uNxK6xbcIjpQ/UTfBF1pz8T16rzr6D62b5qqJotLqXtYHL8sejXPK7YK
         GoWJ7LNjYjGcmHzaapx8k5PtaF/Lnl2ihm1K5rd6IfcO08qUcddCfCYghyEKXFwuqMUu
         J5VQ==
X-Gm-Message-State: AOJu0Yxv76gVAEzEtLl32JLdv9tabtijxD2eg9cQdjD6/O7moVfY/xbF
	S6ktcO6XxESfYnb5FS+NYTc1Qy7n2bziRAgtxc6tlEisFt3DQ7tpzjKMhWyPTSKTx4YNef4VeAb
	1I2qGUNoounybr4heNFGafyefmgtYwW00QUmShjpzSZY5sH189ISGm7IjD9E=
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Received: by 2002:a05:6820:199b:b0:69d:e3e7:332b with SMTP id
 006d021491bc7-6a0c7705d55mr2372754eaf.35.1781773316154; Thu, 18 Jun 2026
 02:01:56 -0700 (PDT)
Date: Thu, 18 Jun 2026 02:01:56 -0700
In-Reply-To: <6a32e8e7.9e4c924b.10726f.0023.GAE@google.com>
X-Google-Appengine-App-Id: s~syzkaller
X-Google-Appengine-App-Id-Alias: syzkaller
Message-ID: <6a33b404.88ebb2b1.955d.0019.GAE@google.com>
Subject: Forwarded: [PATCH] netdevsim: fix use-after-free in __nsim_dev_port_del
From: syzbot <syzbot+6c25f4750230faf70be9@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Content-Type: text/plain; charset="UTF-8"

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] netdevsim: fix use-after-free in __nsim_dev_port_del
Author: hrushirajg23@gmail.com

#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

debugfs files created under a port's ddir (ethtool/get_err,
ethtool/set_err, ring params, bpf_offloaded_id, udp_ports/inject_error,
etc.) store raw pointers directly into the netdevsim struct, which lives
in the net_device private data kmalloc slab.

In __nsim_dev_port_del(), nsim_destroy() was called before
nsim_dev_port_debugfs_exit(), meaning free_netdev() freed the
netdevsim slab while debugfs files still held live pointers into it.
A concurrent reader with the file already open could pass
debugfs_file_get(), then dereference the freed pointer in
debugfs_u32_get(), triggering a slab-use-after-free.

Fix by calling nsim_dev_port_debugfs_exit() first, so
debugfs_remove_recursive() tears down the entire port ddir subtree
(invalidating all stale data pointers) before free_netdev() releases
the backing memory.

Reported-by: syzbot+6c25f4750230faf70be9@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=6c25f4750230faf70be9
Fixes: e05b2d141fef ("netdevsim: move netdev creation/destruction to dev probe")
Signed-off-by: Hrushiraj Gandhi <hrushirajg23@gmail.com>
---
 drivers/net/netdevsim/dev.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/netdevsim/dev.c b/drivers/net/netdevsim/dev.c
index f00fc2f9ebde..77417dd0f752 100644
--- a/drivers/net/netdevsim/dev.c
+++ b/drivers/net/netdevsim/dev.c
@@ -1544,8 +1544,8 @@ static void __nsim_dev_port_del(struct nsim_dev_port *nsim_dev_port)
 	list_del(&nsim_dev_port->list);
 	if (nsim_dev_port_is_vf(nsim_dev_port))
 		devl_rate_leaf_destroy(&nsim_dev_port->devlink_port);
-	nsim_destroy(nsim_dev_port->ns);
 	nsim_dev_port_debugfs_exit(nsim_dev_port);
+	nsim_destroy(nsim_dev_port->ns);
 	if (nsim_dev_port_is_pf(nsim_dev_port))
 		devl_port_resources_unregister(devlink_port);
 	devl_port_unregister(devlink_port);
-- 
2.47.3