On 3/25/26 15:34, Andrew Lunn wrote:

On Wed, Mar 25, 2026 at 01:46:02AM +0300, Alexander Popov wrote:

quoted

Currently we execute `SET_NETDEV_DEV(dev, &priv->lowerdev->dev)` for
the virt_wifi net devices. However, unregistering a virt_wifi device in
netdev_run_todo() can happen together with the device referenced by
SET_NETDEV_DEV().

It can result in use-after-free during the ethtool operations performed
on a virt_wifi device that is currently being unregistered. Such a net
device can have the `dev.parent` field pointing to the freed memory,
but ethnl_ops_begin() calls `pm_runtime_get_sync(dev->dev.parent)`.

Let's remove SET_NETDEV_DEV for virt_wifi to avoid bugs like this:

Did you have a look at all user of SET_NETDEV_DEV() to see if there
are other examples of the same bug?

What i found was:

https://elixir.bootlin.com/linux/v6.19.9/source/drivers/net/ethernet/mellanox/mlx4/en_netdev.c#L3180

Does this have the same problem?

Andrew, I can't say about this particular net device. Looks like it refers to a 
specific ethernet adapter.

How can we distinguish security-relevant bugs similar to this use-after-free:
an unprivileged user must be able to create a given net device via user namespaces.

As I mentioned, applying this fix in ethtool could help against them:
https://lore.kernel.org/all/20260322075917.254874-1-alex.popov@linux.com/T/#u (local)

Best regards,
Alexander