Commit 6a196e83 authored Mar 12, 2026 by Qingfang Deng Committed by Paolo Abeni Mar 17, 2026

ppp: disconnect channel before nullifying pch->chan



In ppp_unregister_channel(), pch->chan is set to NULL before calling
ppp_disconnect_channel(), which removes the channel from ppp->channels
list using list_del_rcu() + synchronize_net(). This creates an
intermediate state where the channel is still connected (on the list)
but already unregistered (pch->chan == NULL).

Call ppp_disconnect_channel() before setting pch->chan to NULL. After
the synchronize_net(), no new reader on the transmit path will hold a
reference to the channel from the list.

This eliminates the problematic state, and prepares for removing the
pch->chan NULL checks from the transmit path in a subsequent patch.

Signed-off-by: Qingfang Deng <dqfext@gmail.com>
Link: https://patch.msgid.link/20260312093732.277254-1-dqfext@gmail.com


Signed-off-by: Paolo Abeni <pabeni@redhat.com>

parent a2efb1b8

drivers/net/ppp/ppp_generic.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -3032,12 +3032,12 @@ ppp_unregister_channel(struct ppp_channel *chan)
		* This ensures that we have returned from any calls into
		* the channel's start_xmit or ioctl routine before we proceed.
		*/
		ppp_disconnect_channel(pch);
		down_write(&pch->chan_sem);
		spin_lock_bh(&pch->downl);
		WRITE_ONCE(pch->chan, NULL);
		spin_unlock_bh(&pch->downl);
		up_write(&pch->chan_sem);
		ppp_disconnect_channel(pch);

		pn = ppp_pernet(pch->chan_net);
		spin_lock_bh(&pn->all_channels_lock);