On Wed, Aug 9, 2017 at 8:57 AM, <gfree.w...@vip.163.com> wrote:
> From: Gao Feng <gfree.w...@vip.163.com>
>
> In the commit ddab82821fa6 ("ppp: Fix a scheduling-while-atomic bug in
> del_chan"), I moved the synchronize_rcu() from del_chan() to pptp_release
> after del_chan() to avoid one scheduling-while-atomic bug.
>
> Actually the del_chan() and pppox_unbind_sock are unneccessary in the
> pptp_sock_destruct. Because the pptp sock refcnt wouldn't reach zero until
> sk_state is set as PPPOX_DEAD in pptp_release. By that time, the del_chan()
> and pppox_unbind_sock() have been invoked already and the condition check
> "!(sk->sk_state & PPPOX_DEAD)" of this sock must be false in
> pptp_sock_destruct.
I am not sure. The check for sock->sk in the beginning of pptp_release()
indicates there could be a case we could skip del_chan() in pptp_release(),
although I can't figure out how.
Also there is a suspicious sock_put() in pptp_release().
