ppp: disconnect channel before nullifying pch->chan

In ppp_unregister_channel(), pch->chan is set to NULL before calling
ppp_disconnect_channel(), which removes the channel from ppp->channels
list using list_del_rcu() + synchronize_net(). This creates an
intermediate state where the channel is still connected (on the list)
but already unregistered (pch->chan == NULL).

Call ppp_disconnect_channel() before setting pch->chan to NULL. After
the synchronize_net(), no new reader on the transmit path will hold a
reference to the channel from the list.

This eliminates the problematic state, and prepares for removing the
pch->chan NULL checks from the transmit path in a subsequent patch.

Signed-off-by: Qingfang Deng <dqfext@gmail.com>
Link: https://patch.msgid.link/20260312093732.277254-1-dqfext@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>

diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
index 6344c5eb0f9842aa5d2f9c1e98b583ba056a9d8d..ad480b584e25ed4d315d79c948d250a45a6fb9a1 100644 (file)
--- a/drivers/net/ppp/ppp_generic.c
+++ b/drivers/net/ppp/ppp_generic.c
@@ -3032,12 +3032,12 @@ ppp_unregister_channel(struct ppp_channel *chan)
         * This ensures that we have returned from any calls into
         * the channel's start_xmit or ioctl routine before we proceed.
         */
+       ppp_disconnect_channel(pch);
        down_write(&pch->chan_sem);
        spin_lock_bh(&pch->downl);
        WRITE_ONCE(pch->chan, NULL);
        spin_unlock_bh(&pch->downl);
        up_write(&pch->chan_sem);
-       ppp_disconnect_channel(pch);
 
        pn = ppp_pernet(pch->chan_net);
        spin_lock_bh(&pn->all_channels_lock);