Re: [PATCH v2] llc: Fix race between sock_orphan() and timer callback in llc_sk_free()

Next message: Mi, Dapeng: "Re: [PATCH V2 5/8] perf/x86/intel/uncore: Factor out box setup code"
Previous message: Chaoyi Chen: "Re: [PATCH 1/2] drm/rockchip: dsi: Add maximum per lane bit rate calculation"
In reply to: Jakub Kicinski: "Re: [PATCH v2] llc: Fix race between sock_orphan() and timer callback in llc_sk_free()"
Next in thread: Jakub Kicinski: "Re: [PATCH v2] llc: Fix race between sock_orphan() and timer callback in llc_sk_free()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jiakai Xu

Date: Tue Jun 02 2026 - 21:37:11 EST

Thank you very much for your review and feedback. I really appreciate
you taking the time to look at this.

> Sashiko points out that there's more issues if the timer runs after
> llc_ui_release(). Can you reliably reproduce this? Have you checked
> that this change is sufficient? Sashiko says that llc->dev may
> disappear even tho we don't clear that pointer in _release().

This crash was discovered by fuzzing. Unfortunately, the fuzzer did
not generate a reproducer program, so I am unable to reproduce it.
Our analysis has been based entirely on the crash report.

I'm not an expert in this area, so the quality of my patches may be
low. I really appreciate your patience and the time you've taken to
review this. Would this V3 approach (moving both sock_orphan() and
netdev_put() into llc_sk_free() after the timer stop) be the correct
way to proceed?

Regards,
Jiakai