Re: [PATCH] Fix the cleanup on alloc_mpc failure in atm_mpoa_mpoad_attach

[Simon Horman <horms@kernel.org>]

On Tue, Sep 23, 2025 at 06:54:27PM +0530, Deepak Sharma wrote:
> Syzbot reported a warning at `add_timer`, which is called from the
> `atm_mpoa_mpoad_attach` function
> 
> The reason for this warning is that in the allocation failure by `alloc_mpc`,
> there is lack of proper cleanup. And in the event that ATMMPC_CTRL ioctl is
> called on to again, it will lead to the attempt of starting an already 
> started timer from the previous ioctl call
> 
> Do a `timer_delete` before returning from the `alloc_mpc` failure
> 
> Reported-by: syzbot+07b635b9c111c566af8b@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=07b635b9c111c566af8b
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Signed-off-by: Deepak Sharma <deepak.sharma.472935@gmail.com>
> ---
>  net/atm/mpc.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/net/atm/mpc.c b/net/atm/mpc.c
> index f6b447bba329..cd3295c3c480 100644
> --- a/net/atm/mpc.c
> +++ b/net/atm/mpc.c
> @@ -814,7 +814,10 @@ static int atm_mpoa_mpoad_attach(struct atm_vcc *vcc, int arg)
>  		dprintk("allocating new mpc for itf %d\n", arg);
>  		mpc = alloc_mpc();
>  		if (mpc == NULL)
> +		{
> +			timer_delete(&mpc_timer);
>  			return -ENOMEM;
> +		}
>  		mpc->dev_num = arg;
>  		mpc->dev = find_lec_by_itfnum(arg);
>  					/* NULL if there was no lec */

Hi Deepak.

I have a few questions about this.

1. Is timer_delete() sufficient, or is timer_delete_sync() needed
   to avoid the timer being rearmed?

2. If timer_delete_sync() is needed here, then it is probably
   also needed a few lines above, in place of an existing call to
   timer_delete().

3. Is timer_delete()/timer_delete_sync() also needed for the error condition a
   few lines below the hunk above? That code looks like this:

        if (mpc->mpoad_vcc) {
                pr_info("mpoad is already present for itf %d\n", arg);
                return -EADDRINUSE;
        }

Also, this patch is probably for net. So, for reference, it should
be targeted at that tree like this:

Subject: [PATCH net] ...

And the patch subject should have a prefix. Looking at git history, "atm:"
seems appropriate.

Subject: [PATCH net] atm: ...