On Wed, Sep 20, 2017 at 11:30 AM, Eric Dumazet <eric.duma...@gmail.com> wrote: > On Wed, 2017-09-20 at 11:22 -0700, Cong Wang wrote: >> but dmesg at this time shows nothing about interfaces or flaps. >> >> This is very odd. >> >> We only free netdevice in free_netdev() and it is only called when >> we unregister a netdevice. Otherwise pcpu_refcnt is impossible >> to be NULL. > > If there is a missing dev_hold() or one dev_put() in excess, > this would allow the netdev to be freed too soon. > > -> Use after free. > memory holding netdev could be reallocated-cleared by some other kernel > user. >
Sure, but only unregister could trigger a free. If there is no unregister, like what Pawel claims, then there is no free, the refcnt just goes to 0 but the memory is still there.
