Re: [PATCH v2] llc: Fix race between sock_orphan() and timer callback in llc_sk_free()

Next message: Tom Lendacky: "Re: [PATCH] crypto: use two-argument strscpy where destination size is known"
Previous message: Dipayaan Roy: "[PATCH net-next v10 2/2] net: mana: force full-page RX buffers via ethtool private flag"
Next in thread: Jiakai Xu: "Re: [PATCH v2] llc: Fix race between sock_orphan() and timer callback in llc_sk_free()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jakub Kicinski

Date: Tue Jun 02 2026 - 16:30:24 EST

On Fri, 29 May 2026 02:00:59 +0000 Jiakai Xu wrote:
> In llc_ui_release(), sock_orphan() was called before llc_sk_free()
> stopped all LLC timers. A pending timer callback
> (llc_conn_ack_tmr_cb()->llc_process_tmr_ev()->llc_conn_state_process())
> could fire between these two operations and dereference the
> NULL sk->sk_socket that sock_orphan() sets, causing a kernel
> page fault.
>
> Fix the race by moving sock_orphan() into llc_sk_free(), after
> llc_sk_stop_all_timers() has completed. This guarantees that
> all timers are stopped before the socket is orphaned, eliminating
> the window for the race.

Sashiko points out that there's more issues if the timer runs after
llc_ui_release(). Can you reliably reproduce this? Have you checked
that this change is sufficient? Sashiko says that llc->dev may
disappear even tho we don't clear that pointer in _release().
--
pw-bot: cr