Re: [PATCH v1] net: plip: cancel pending work before freeing device

[Paolo Abeni]

On 5/15/26 8:31 AM, Sicong Huang wrote:
> plip_close() stops the IRQ and the poll timer but does not cancel
> the immediate and deferred work items before returning. These two
> work items are initialised in plip_init_netdev() via
> INIT_WORK(&nl->immediate, plip_bh) and
> INIT_DELAYED_WORK(&nl->deferred, plip_kick_bh).
> plip_cleanup_module() calls free_netdev() which frees the
> net_local structure while those work items may still be queued or
> running in the workqueue, resulting in a use-after-free.
> 
> Fix this by calling cancel_delayed_work_sync() and cancel_work_sync()
> after all sources of new work scheduling have been shut down (IRQ
> disabled, poll timer stopped) but before releasing parport and
> freeing any skbs.
> 
> Signed-off-by: Sicong Huang <congei42@xxxxxxx>

This is a fix, should target the 'net' tree including such tag in the
subj prefix and should include a suitable 'Fixes:' tag in the tag area.
Please have an accurate read at:

Documentation/process/maintainer-netdev.rst

before reposting.

> ---
>  drivers/net/plip/plip.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/drivers/net/plip/plip.c b/drivers/net/plip/plip.c
> index d81163bc910a..4f0ab14f2024 100644
> --- a/drivers/net/plip/plip.c
> +++ b/drivers/net/plip/plip.c
> @@ -1141,6 +1141,9 @@ plip_close(struct net_device *dev)
>  		wait_for_completion(&nl->killed_timer_cmp);
>  	}
>  
> +	cancel_delayed_work_sync(&nl->deferred);
> +	cancel_work_sync(&nl->immediate);

Sashiko noted this is still racy:

https://netdev-ai.bots.linux.dev/sashiko/#/patchset/20260515063155.3196112-1-congei42%40163.com

you should likely call disable_* at deattach() time.

/P