Re: [PATCH] xen-netfront: Delete rx_refill_timer in xennet_disconnect_backend()
From: Eric Dumazet
Date: Mon Jan 30 2017 - 13:07:44 EST
On Mon, 2017-01-30 at 12:45 -0500, Boris Ostrovsky wrote:
> rx_refill_timer should be deleted as soon as we disconnect from the
> backend since otherwise it is possible for the timer to go off before
> we get to xennet_destroy_queues(). If this happens we may dereference
> queue->rx.sring which is set to NULL in xennet_disconnect_backend().
>
> Signed-off-by: Boris Ostrovsky <boris.ostrovsky@xxxxxxxxxx>
> CC: stable@xxxxxxxxxxxxxxx
> ---
> drivers/net/xen-netfront.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
> index 8315fe7..722fe9f 100644
> --- a/drivers/net/xen-netfront.c
> +++ b/drivers/net/xen-netfront.c
> @@ -1379,6 +1379,8 @@ static void xennet_disconnect_backend(struct netfront_info *info)
> for (i = 0; i < num_queues && info->queues; ++i) {
> struct netfront_queue *queue = &info->queues[i];
>
> + del_timer_sync(&queue->rx_refill_timer);
> +
If napi_disable() was not called before this del_timer_sync(), another
RX might come here and rearm rx_refill_timer.
> if (queue->tx_irq && (queue->tx_irq == queue->rx_irq))
> unbind_from_irqhandler(queue->tx_irq, queue);
> if (queue->tx_irq && (queue->tx_irq != queue->rx_irq)) {
> @@ -1733,7 +1735,6 @@ static void xennet_destroy_queues(struct netfront_info *info)
>
> if (netif_running(info->netdev))
> napi_disable(&queue->napi);
> - del_timer_sync(&queue->rx_refill_timer);
> netif_napi_del(&queue->napi);
> }
>