On Wed, Mar 25, 2026 at 01:34:43PM +0100, Andrew Lunn wrote:

On Wed, Mar 25, 2026 at 01:46:02AM +0300, Alexander Popov wrote:

quoted

Currently we execute `SET_NETDEV_DEV(dev, &priv->lowerdev->dev)` for
the virt_wifi net devices. However, unregistering a virt_wifi device in
netdev_run_todo() can happen together with the device referenced by
SET_NETDEV_DEV().

It can result in use-after-free during the ethtool operations performed
on a virt_wifi device that is currently being unregistered. Such a net
device can have the `dev.parent` field pointing to the freed memory,
but ethnl_ops_begin() calls `pm_runtime_get_sync(dev->dev.parent)`.

Let's remove SET_NETDEV_DEV for virt_wifi to avoid bugs like this:

Did you have a look at all user of SET_NETDEV_DEV() to see if there
are other examples of the same bug?

What i found was:

https://elixir.bootlin.com/linux/v6.19.9/source/drivers/net/ethernet/mellanox/mlx4/en_netdev.c#L3180

Does this have the same problem?

That's not pointing to the "parent" device, but rather the actual device
under operation from what I can tell.  Or am I mistaking what "pdev"
means here?  Isn't that the pci device the driver is bound to?

thanks,

greg k-h