On Sun, Aug 6, 2017 at 6:32 PM, Gao Feng <gfree.w...@vip.163.com> wrote: > I think the RCU should be supposed to avoid the race between del_chan and > lookup_chan.
More precisely, it is callid_sock which is protected by RCU. Unless I miss any other code path, pptp_exit_module() is problematic too, I don't think it can just vfree() the whole thing. > The synchronize_rcu could make sure if there was one which calls lookup_chan > in this period, it would be finished and the sock refcnt is increased if > necessary. > > So I think it is ok to invoke sock_put directly without SOCK_RCU_FREE, > because the lookup_chan caller has already hold the sock refcnt, > If you mean the sock_hold() inside lookup_chan(), no, it doesn't help because we already dereference the sock before it. Also, lookup_chan_dst() does not have a refcnt, I don't find any code preventing it deref'ing other sock in callid_sock than the calling one.