From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wm1-f49.google.com (mail-wm1-f49.google.com [209.85.128.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id F2508366DB4 for ; Sun, 26 Apr 2026 14:43:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.49 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777214594; cv=none; b=K8NJW9gb1Grs7IucJsVicKCacgcWGS30vM3Dt1KYtm5nwk3bg7hxvJkAgtqvfMWQXeG91/vWVXEmR833jH8HBN074dYJjyrMAHw6i6iSjEvto3p38Xt0ZHvhdysZ0md0sAeYv4QVr2OXKFvAKWBlH8HnzKWwhw27CKAqbaklthg= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777214594; c=relaxed/simple; bh=Re4gp72M+Kx1ob9peixynICA2ch+YUmknvJWbzp+frY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=lKYkSq/OQYE2o9ZxXZprUxKb+OWrQjf5vS2Jlkg1ZF36jJxc+KgeOf0f0AwdRnXhCdiqwlaTZiH2XgFUrbJi/8TNIwoHDZAREsLTjtPCUi1JzerKGOTQ5C5tWn99qquwrganimKneqlfhQmu6z7dCjtJUqv0lpDGqvUpfq4cypM= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=QfRKprcb; arc=none smtp.client-ip=209.85.128.49 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="QfRKprcb" Received: by mail-wm1-f49.google.com with SMTP id 5b1f17b1804b1-48896199cbaso92522775e9.1 for ; Sun, 26 Apr 2026 07:43:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777214589; x=1777819389; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=skBBZ9ixztfRWmWoAATqpN2NCAoakIzBp3aEndiAumw=; b=QfRKprcbzK2Z6Y18O2XVMC12KR8QL0tSoJVegEVPQhh4RCRwH7e6mQiaLGq7LWqWOU k257hSI/iYx48pCuhPM+XGC2LBhwu8ZPlawhXnWamHoXUfjhrlfIRCOuqq9O5xdgfQgR sPYVBvlsznoAHhQitUMt0iNv/BfIEBJsdQSSxJnVIbM8ROnOZru4aXuXNBfq9dQEHgzx p6XGnNrQT/VJcD1F/owWU99NFMPO3XZtBi9NpcjhER4ucN+o1K/ete/sLfC9C8/QtNCS V1WSjCdjUnqABrwe0AT71Af1MAuGYuADeFBbCLR5i9vIW/2h0nR4d3ZDTx/i7SVonVW8 xuSQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777214589; x=1777819389; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=skBBZ9ixztfRWmWoAATqpN2NCAoakIzBp3aEndiAumw=; b=gI/sjGyQNxKW6GgLhQF18PA8Wa14rb7oEV8KYk/md26BE2MAOzh5GfdUgaO3BVHFHQ 65Wrz2lvIzHx0Lz8DRQMZqVCLe9wH7VBidAofVQynRhNgTusI+bskcxXxu6n5Qz1DpgX yr5zotGLT6R4fwxAYB1T1f/wdUW1QIC+cJTnX1xRK+kxvxFBoxkUScmItQkRFAGhQVNo cCE25M01uIeN6oYjnVmbWhv/IFPNe8pLugeiUxJKonA0FrbMNUVzYqhLNhz/FWykrA4J saT4/LSxafEa+ZZJV4bMohhNAtGBH4AEPkCh6uApzuGPMO+a+zcTNO+71RrljIhmj0L3 mUHg== X-Forwarded-Encrypted: i=1; AFNElJ+87h9Tnot50M5K/qSscX4ek9ZZMOxYrWpJ/uji7tuUGKM5mE0u/CMw6Gl3NWDUvTl00WhNbq9WEMzAivA=@vger.kernel.org X-Gm-Message-State: AOJu0YzzxsiNAUqyhw6SclnnUIxCLljvFjOl7YIza7glTB7Z6GBwKn3J JmgSljC+GDzbZLRfDXJQNA932agbxoZZk0qtiQEuLNcHxQD3oc9RprMe X-Gm-Gg: AeBDieswGVeOzSCnFJwYQ5ndPsM/ALbju+1595GWEXRxWvLAuE2K0iPSK/FEZdDeJYi clOtrfpEWWNyUS3MLEK2YGj/GEoqz/a/d7QJLwwsgxa5JbB3ui80TTyW3NMmpC9Xh5O7ZmCw3+L ZNs5+DhARtuqubDqWUM/aUBVbZeivq7LpJxMIZ8KvogTe6LZ5NPmWp7Gjx/c4urlm1ZeQ/FLH6v LJAAPqORKXnHgWJ4m38KAw6GcjeI4gLsVRril9O00T5TrGazq1xHA0ge0AmV+9mlbiIxTSBAAre y8F1cPsoBX3BhfVTQuuq0hKCQwN22Bfh6df0xK9Hv2JXG589fwir7A0rWproqclZW/rIs3ZPD/R ynS5bKtYgZqQHvOOn1hSEzPme4BBXFav9cRomC+b5fORsUre/xhsjCXbGeT6biVyNW91D4PnY64 MQMFjaadglJjc5+ZTvINC52W4xVPHzxX4Y3NW2qMM32ZCJec7uzhFQAZ6cX+NgjxcgebCi7J4W/ HDsDBqEyeUtmTA= X-Received: by 2002:a05:600c:a416:b0:488:e7e4:8425 with SMTP id 5b1f17b1804b1-488fb787674mr447887245e9.23.1777214589232; Sun, 26 Apr 2026 07:43:09 -0700 (PDT) Received: from ubuntu-f6bvp (lfbn-idf1-1-366-193.w86-195.abo.wanadoo.fr. [86.195.82.193]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-488fc18bccfsm658230335e9.8.2026.04.26.07.43.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 26 Apr 2026 07:43:08 -0700 (PDT) From: Bernard Pidoux To: netdev@vger.kernel.org Cc: linux-hams@vger.kernel.org, linux-kernel@vger.kernel.org, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, horms@kernel.org, Bernard Pidoux Subject: [PATCH net 3/5] rose: fix race between loopback timer and module removal Date: Sun, 26 Apr 2026 16:43:03 +0200 Message-ID: <20260426144305.984349-4-bernard.f6bvp@gmail.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20260426144305.984349-1-bernard.f6bvp@gmail.com> References: <20260426144305.984349-1-bernard.f6bvp@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit rose_loopback_clear() called timer_delete() which returns immediately without waiting for any running callback to complete. If the timer fired concurrently with module removal, rose_loopback_timer() could re-arm the timer after timer_delete() returned and then access rose_loopback_neigh after it was freed. Two complementary changes close the race: 1. Add a loopback_stopping atomic flag. rose_loopback_timer() checks it at entry (before acquiring a reference) and again inside the loop; when set it drains the queue and exits without re-arming the timer. 2. Switch rose_loopback_clear() to timer_delete_sync() so it blocks until any in-flight callback has returned before freeing resources. The smp_mb() between setting the flag and calling timer_delete_sync() ensures the flag is visible to any callback that is about to run. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Tested-by: Bernard Pidoux Signed-off-by: Bernard Pidoux --- net/rose/rose_loopback.c | 31 ++++++++++++++++++++++++------- 1 file changed, 24 insertions(+), 7 deletions(-) diff --git a/net/rose/rose_loopback.c b/net/rose/rose_loopback.c index d66913df360d..80d7879ef36a 100644 --- a/net/rose/rose_loopback.c +++ b/net/rose/rose_loopback.c @@ -12,13 +12,15 @@ #include #include -static struct sk_buff_head loopback_queue; #define ROSE_LOOPBACK_LIMIT 1000 -static struct timer_list loopback_timer; +static struct timer_list loopback_timer; +static struct sk_buff_head loopback_queue; static void rose_set_loopback_timer(void); static void rose_loopback_timer(struct timer_list *unused); +static atomic_t loopback_stopping = ATOMIC_INIT(0); + void rose_loopback_init(void) { skb_queue_head_init(&loopback_queue); @@ -66,6 +68,9 @@ static void rose_loopback_timer(struct timer_list *unused) unsigned int lci_i, lci_o; int count; + if (atomic_read(&loopback_stopping)) + return; + if (rose_loopback_neigh) rose_neigh_hold(rose_loopback_neigh); else @@ -75,6 +80,13 @@ static void rose_loopback_timer(struct timer_list *unused) skb = skb_dequeue(&loopback_queue); if (!skb) goto out; + + if (atomic_read(&loopback_stopping)) { + kfree_skb(skb); + skb_queue_purge(&loopback_queue); + goto out; + } + if (skb->len < ROSE_MIN_LEN) { kfree_skb(skb); continue; @@ -118,7 +130,7 @@ static void rose_loopback_timer(struct timer_list *unused) out: rose_neigh_put(rose_loopback_neigh); - if (!skb_queue_empty(&loopback_queue)) + if (!atomic_read(&loopback_stopping) && !skb_queue_empty(&loopback_queue)) mod_timer(&loopback_timer, jiffies + 1); } @@ -126,10 +138,15 @@ void __exit rose_loopback_clear(void) { struct sk_buff *skb; - timer_delete(&loopback_timer); + atomic_set(&loopback_stopping, 1); + /* Pairs with atomic_read() in rose_loopback_timer(): ensure the + * stopping flag is visible before we cancel, so a concurrent + * callback aborts its loop early rather than re-arming the timer. + */ + smp_mb(); + + timer_delete_sync(&loopback_timer); - while ((skb = skb_dequeue(&loopback_queue)) != NULL) { - skb->sk = NULL; + while ((skb = skb_dequeue(&loopback_queue)) != NULL) kfree_skb(skb); - } } -- 2.51.0