Re: [PATCH v2] llc: Fix race between sock_orphan() and timer callback in llc_sk_free()

Next message: Wentao Liang: "[PATCH] block/fops: fix refcount underflow in __blkdev_direct_IO()"
Previous message: Inochi Amaoto: "Re: [PATCH] riscv: dts: sophgo: reduce SG2042 MSI count to 16"
In reply to: Jiakai Xu: "Re: [PATCH v2] llc: Fix race between sock_orphan() and timer callback in llc_sk_free()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jakub Kicinski

Date: Tue Jun 02 2026 - 22:12:20 EST

On Wed, 3 Jun 2026 01:30:07 +0000 Jiakai Xu wrote:
> > Sashiko points out that there's more issues if the timer runs after
> > llc_ui_release(). Can you reliably reproduce this? Have you checked
> > that this change is sufficient? Sashiko says that llc->dev may
> > disappear even tho we don't clear that pointer in _release().
>
> This crash was discovered by fuzzing. Unfortunately, the fuzzer did
> not generate a reproducer program, so I am unable to reproduce it.
> Our analysis has been based entirely on the crash report.
>
> I'm not an expert in this area, so the quality of my patches may be
> low. I really appreciate your patience and the time you've taken to
> review this. Would this V3 approach (moving both sock_orphan() and
> netdev_put() into llc_sk_free() after the timer stop) be the correct
> way to proceed?

Not sure, feels like we're trying to fix symptoms instead of addressing
the real root cause.