1. Patchew
  2. linux
  3. View series

[PATCH v1] net: plip: cancel pending work before freeing device

Sicong Huang posted 1 patch 4 weeks ago 
drivers/net/plip/plip.c | 3 +++
1 file changed, 3 insertions(+)
[PATCH v1] net: plip: cancel pending work before freeing device
Posted by Sicong Huang 4 weeks ago 
plip_close() stops the IRQ and the poll timer but does not cancel
the immediate and deferred work items before returning. These two
work items are initialised in plip_init_netdev() via
INIT_WORK(&nl->immediate, plip_bh) and
INIT_DELAYED_WORK(&nl->deferred, plip_kick_bh).
plip_cleanup_module() calls free_netdev() which frees the
net_local structure while those work items may still be queued or
running in the workqueue, resulting in a use-after-free.

Fix this by calling cancel_delayed_work_sync() and cancel_work_sync()
after all sources of new work scheduling have been shut down (IRQ
disabled, poll timer stopped) but before releasing parport and
freeing any skbs.

Signed-off-by: Sicong Huang <congei42@163.com>
---
 drivers/net/plip/plip.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/net/plip/plip.c b/drivers/net/plip/plip.c
index d81163bc910a..4f0ab14f2024 100644
--- a/drivers/net/plip/plip.c
+++ b/drivers/net/plip/plip.c
@@ -1141,6 +1141,9 @@ plip_close(struct net_device *dev)
 		wait_for_completion(&nl->killed_timer_cmp);
 	}
 
+	cancel_delayed_work_sync(&nl->deferred);
+	cancel_work_sync(&nl->immediate);
+
 #ifdef NOTDEF
 	outb(0x00, PAR_DATA(dev));
 #endif
-- 
2.34.1
Re: [PATCH v1] net: plip: cancel pending work before freeing device
Posted by Paolo Abeni 3 weeks, 2 days ago 
On 5/15/26 8:31 AM, Sicong Huang wrote:
> plip_close() stops the IRQ and the poll timer but does not cancel
> the immediate and deferred work items before returning. These two
> work items are initialised in plip_init_netdev() via
> INIT_WORK(&nl->immediate, plip_bh) and
> INIT_DELAYED_WORK(&nl->deferred, plip_kick_bh).
> plip_cleanup_module() calls free_netdev() which frees the
> net_local structure while those work items may still be queued or
> running in the workqueue, resulting in a use-after-free.
> 
> Fix this by calling cancel_delayed_work_sync() and cancel_work_sync()
> after all sources of new work scheduling have been shut down (IRQ
> disabled, poll timer stopped) but before releasing parport and
> freeing any skbs.
> 
> Signed-off-by: Sicong Huang <congei42@163.com>

This is a fix, should target the 'net' tree including such tag in the
subj prefix and should include a suitable 'Fixes:' tag in the tag area.
Please have an accurate read at:

Documentation/process/maintainer-netdev.rst

before reposting.

> ---
>  drivers/net/plip/plip.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/drivers/net/plip/plip.c b/drivers/net/plip/plip.c
> index d81163bc910a..4f0ab14f2024 100644
> --- a/drivers/net/plip/plip.c
> +++ b/drivers/net/plip/plip.c
> @@ -1141,6 +1141,9 @@ plip_close(struct net_device *dev)
>  		wait_for_completion(&nl->killed_timer_cmp);
>  	}
>  
> +	cancel_delayed_work_sync(&nl->deferred);
> +	cancel_work_sync(&nl->immediate);

Sashiko noted this is still racy:

https://netdev-ai.bots.linux.dev/sashiko/#/patchset/20260515063155.3196112-1-congei42%40163.com

you should likely call disable_* at deattach() time.

/P

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.