[PATCH] net: ethernet: arc: fix use-after-free in probe error path

吴凡 12321260 at zju.edu.cn
Sun Mar 8 00:56:08 PST 2026 

You are right that normal device interrupt generation is enabled in arc_emac_open() via R_ENABLE, so we certainly don't expect regular RX/TX traffic interrupts during probe.

My main concern here is the lifetime ordering in the error path. arc_emac_probe() installs the IRQ handler via devm_request_irq(..., ndev), but if emac_rockchip_probe() fails later, it explicitly calls free_netdev(ndev) well before the devres cleanup routine runs.

In that specific gap, if an IRQ is somehow delivered—perhaps from a pending/latched line left by the firmware/bootloader, or other non-traffic anomalies—arc_emac_intr() will immediately dereference dev_id as a struct net_device *. Since ndev has already been manually freed, this results in a UAF.

So while I completely agree this isn't a normal pre-open traffic path, the mixed lifetime management (managed IRQ vs. manual netdev free) still creates a real race window.

Switching to devm_alloc_etherdev() puts both resources under devres management, permanently fixing this teardown ordering issue. I would be happy to send a v2 and reword the commit log to emphasize this as a potential race window and a hardening fix. Let me know what you think.


> -----Original Messages-----
> From: "Andrew Lunn" <andrew at lunn.ch>
> Send time:Thursday, 05/03/2026 06:29:05
> To: "Fan Wu" <fanwu01 at zju.edu.cn>
> Cc: netdev at vger.kernel.org, davem at davemloft.net, kuba at kernel.org, edumazet at google.com, pabeni at redhat.com, andrew+netdev at lunn.ch, heiko at sntech.de, romain.perier at gmail.com, linux-arm-kernel at lists.infradead.org, linux-rockchip at lists.infradead.org, stable at vger.kernel.org
> Subject: Re: [PATCH] net: ethernet: arc: fix use-after-free in probe error path
> 
> On Wed, Mar 04, 2026 at 02:53:03AM +0000, Fan Wu wrote:
> > The arc_emac_probe() function calls devm_request_irq() with the
> > net_device as the dev_id. However, in the error path of
> > emac_rockchip_probe(), free_netdev(ndev) is called before the devm
> > cleanup happens. This creates a race window where an interrupt can
> > fire and the ISR (arc_emac_intr) will access the already freed
> > net_device structure.
> 
> It looks like interrupts are only enabled in arc_emac_open(). Have you
> seen interrupts before this?
> 
>      Andrew

More information about the Linux-rockchip mailing list