On Mon, Aug 24, 2020 at 10:07 PM Jason A. Donenfeld <ja...@zx2c4.com> wrote: > I believe that the bug Dan reported would easily be fixed as well by > just setting dev->needs_free_netdev=true and removing the call to > free_netdev(dev) in wg_destruct, in wireguard. If you think that this is > the more proper fix -- and that the problem actually isn't this flow in > dev.c and any code that might hit this UaF is wrong -- let me know and > I'll send in a patch for wireguard instead.
I think ppp might be hit by the same bug, actually. netdev_run_todo->ppp_dev_priv_destructor()->ppp_destroy_interface()->free_netdev(dev), followed by "if (dev->needs_free_netdev)".
