PT-2026-52329 · Linux · Linux
Published
2026-06-25
·
Updated
2026-06-25
·
CVE-2026-53234
None
No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
In the Linux kernel, the following vulnerability has been resolved:
net: ibm: emac: Fix use-after-free during device removal
The driver was using devm register netdev() which causes unregister netdev()
to be deferred until the devres cleanup phase, which runs after emac remove()
returns. This creates a use-after-free window where:
- emac remove() is called, which tears down hardware (cancels work, detaches modules, unregisters from MAL)
- emac remove() returns
- devres cleanup runs and finally calls unregister netdev()
During step 3, the network stack might still process packets, triggering
emac irq(), emac poll(), or other handlers that access now-freed hardware
resources (dev->emacp, dev->mal, etc.).
Fix this by replacing devm register netdev() with manual register netdev()
and calling unregister netdev() at the beginning of emac remove(), before
any hardware teardown. This ensures the network device is fully stopped and
unregistered before hardware resources are released.
The change is safe because:
- dev->ndev is assigned very early in probe (before any error paths that could bypass emac remove)
- platform set drvdata() is only called after successful registration, so emac remove() only runs for fully registered devices
- unregister netdev() is idempotent and safe to call on any registered device
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Linux