git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Jeremy Kerr <jk@codeconstruct.com.au>
	Mon, 8 Jun 2026 01:25:40 +0000 (09:25 +0800)
committer	Paolo Abeni <pabeni@redhat.com>
	Tue, 9 Jun 2026 13:23:13 +0000 (15:23 +0200)
commit	54665dce982689e2fd99b32e9a0dcc204fda8a51
tree	7670d788fe22a6c7836a475494a28ba117ce7e17	tree \| snapshot
parent	004e9ecfe6c5384f9e0b2f6f6389d42ec22789af	commit \| diff

net: mctp: usb: fix race between urb completion and rx_retry cancellation

It's possible that sequencing between setting ->stopped and cancelling
the rx_retry work (in ndo_stop) could leave us with an urb queued:

    T1: ndo_stop                  T2: rx_retry_work
    ------------                  ----------------
                                  LD: ->stopped => false
    ST: ->stopped <= true
    usb_kill_urb()
                                  mctp_usb_rx_queue()
                                    usb_submit_urb()
    cancel_delayed_work_sync()

That urb completion can then re-schedule rx_retry_work.

Strenghen the sequencing between the stop (preventing another requeue)
and the cancel by updating both atomically under a new rx lock. After
setting ->rx_stopped, and cancelling pending work, we know that the
requeue cannot occur, so all that's left is killing any pending urb.

Fixes: 0791c0327a6e ("net: mctp: Add MCTP USB transport driver")
Signed-off-by: Jeremy Kerr <jk@codeconstruct.com.au>
Link: https://patch.msgid.link/20260608-dev-mctp-usb-rx-requeue-v2-1-29a3aa507609@codeconstruct.com.au
Signed-off-by: Paolo Abeni <pabeni@redhat.com>