Fix for use-after-free by if_ioctl() calls from user-space in USB drivers by

detaching the ifnet before the miibus. PR: 252608 Suggested by: jhb@ MFC after: 1 week Sponsored by: Mellanox Technologies // NVIDIA Networking
2026-05-28 04:12:45 -04:00 · 2021-01-12 18:51:09 +01:00 · 2021-01-12 18:51:09 +01:00 · 4eac63af23
commit 4eac63af23
parent b764a42653
2 changed files with 7 additions and 4 deletions
--- a/sys/dev/usb/net/uhso.c
+++ b/sys/dev/usb/net/uhso.c
@ -691,10 +691,10 @@ uhso_detach(device_t self)
 		free_unr(uhso_ifnet_unit, sc->sc_ifp->if_dunit);
 		mtx_lock(&sc->sc_mtx);
 		uhso_if_stop(sc);
+		mtx_unlock(&sc->sc_mtx);
 		bpfdetach(sc->sc_ifp);
 		if_detach(sc->sc_ifp);
 		if_free(sc->sc_ifp);
-		mtx_unlock(&sc->sc_mtx);
 		usbd_transfer_unsetup(sc->sc_if_xfer, UHSO_IFNET_MAX);
 	}

--- a/sys/dev/usb/net/usb_ethernet.c
+++ b/sys/dev/usb/net/usb_ethernet.c
@ -319,6 +319,12 @@ uether_ifdetach(struct usb_ether *ue)
 		/* drain any callouts */
 		usb_callout_drain(&ue->ue_watchdog);

+		/*
+		 * Detach ethernet first to stop miibus calls from
+		 * user-space:
+		 */
+		ether_ifdetach(ifp);
+
 		/* detach miibus */
 		if (ue->ue_miibus != NULL) {
 			mtx_lock(&Giant);	/* device_xxx() depends on this */
@ -326,9 +332,6 @@ uether_ifdetach(struct usb_ether *ue)
 			mtx_unlock(&Giant);
 		}

-		/* detach ethernet */
-		ether_ifdetach(ifp);
-
 		/* free interface instance */
 		if_free(ifp);