From: Qingfang Deng Date: Thu, 12 Mar 2026 09:37:30 +0000 (+0800) Subject: ppp: disconnect channel before nullifying pch->chan X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6a196e83a1a7e50be93482d1cd4305641f1a9fb1;p=thirdparty%2Flinux.git ppp: disconnect channel before nullifying pch->chan In ppp_unregister_channel(), pch->chan is set to NULL before calling ppp_disconnect_channel(), which removes the channel from ppp->channels list using list_del_rcu() + synchronize_net(). This creates an intermediate state where the channel is still connected (on the list) but already unregistered (pch->chan == NULL). Call ppp_disconnect_channel() before setting pch->chan to NULL. After the synchronize_net(), no new reader on the transmit path will hold a reference to the channel from the list. This eliminates the problematic state, and prepares for removing the pch->chan NULL checks from the transmit path in a subsequent patch. Signed-off-by: Qingfang Deng Link: https://patch.msgid.link/20260312093732.277254-1-dqfext@gmail.com Signed-off-by: Paolo Abeni --- diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c index 6344c5eb0f984..ad480b584e25e 100644 --- a/drivers/net/ppp/ppp_generic.c +++ b/drivers/net/ppp/ppp_generic.c @@ -3032,12 +3032,12 @@ ppp_unregister_channel(struct ppp_channel *chan) * This ensures that we have returned from any calls into * the channel's start_xmit or ioctl routine before we proceed. */ + ppp_disconnect_channel(pch); down_write(&pch->chan_sem); spin_lock_bh(&pch->downl); WRITE_ONCE(pch->chan, NULL); spin_unlock_bh(&pch->downl); up_write(&pch->chan_sem); - ppp_disconnect_channel(pch); pn = ppp_pernet(pch->chan_net); spin_lock_bh(&pn->all_channels_lock);