From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from out-172.mta0.migadu.com (out-172.mta0.migadu.com [91.218.175.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A4B254219E4 for ; Thu, 2 Jul 2026 08:19:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.218.175.172 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782980368; cv=none; b=tGnzUn1ivgUOjF87Khi74R3AeWwkN6PEFlPgpxJ4oUjhPG5YnQA3uEwi2x7pzU5RS9C68GBVSKmmAZ4c/26jiWABrhE+y3KST2V3bQ1cXlFArG+JQ+F94lrB1pfBI09Do+hX7rX8ybsNQB0MWCHZ3lb2juEXy2mivF9QomfpDRg= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782980368; c=relaxed/simple; bh=LTcoPOEiw4rlHi1sMzQp9TpXpMC0Qga5gAG/6qfa/Mk=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=oUT0PS0a7SpvKbEmGS/L7qWNDuuSBRfJ3ibnCe82UyaxFQk4smig3wvCqgWTjmYZvIjF0V2o/sLJnFwTOLZ6hGq363XDF+sWAe9wAgFSahFGP9oV2aHNHAv3Ld0ztXi0zQyfzhWE2wOPlDu3prUCICMKmNZ0dYYBPuXA1SGXvZA= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=nzBi+pTz; arc=none smtp.client-ip=91.218.175.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="nzBi+pTz" Message-ID: <166370f4-0b8c-4af4-9fb7-6967828a99bc@linux.dev> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1782980354; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=o/qjIx9DBZ+vWShiSSveQa8m5i8Lw7dPrnCxeEDpsmg=; b=nzBi+pTzw3tABsaisQYDrLls5eENT4LbOxbTC1S9EqLDJYKV7IefLUKCOcqz6tXU5T/FyN uormnWxDbXfrNMg3vh9b075QGiO/NKed1XLmR3op3HYHbpHOYq2lv9o0PPeybt8VnrKkGM DUIJxr96gpwVXAd9trT9gl0FZlFTjyU= Date: Thu, 2 Jul 2026 16:19:02 +0800 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Subject: Re: [PATCH net v2] ppp: defer channel free to an RCU grace period to fix pppol2tp RX UAF To: Norbert Szetei Cc: Andrew Lunn , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Sebastian Andrzej Siewior , Breno Leitao , Taegu Ha , Kees Cook , linux-ppp@vger.kernel.org, linux-kernel@vger.kernel.org, Guillaume Nault , netdev@vger.kernel.org References: X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: Qingfang Deng In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Migadu-Flow: FLOW_OUT Add: Guillaume On 2026/7/2 at 2:12, Norbert Szetei wrote: > pppol2tp_recv() runs in the L2TP UDP-encap softirq RX path: > > l2tp_udp_encap_recv() -> l2tp_recv_common() -> pppol2tp_recv() > -> ppp_input(&po->chan) > > It runs under rcu_read_lock() holding only an l2tp_session reference and > takes NO reference on the internal PPP channel (struct channel, > chan->ppp) that ppp_input() dereferences. > > The pppox socket is SOCK_RCU_FREE, so 'po' and the embedded ppp_channel > are RCU-safe. But the internal struct channel is a separate allocation > that ppp_release_channel() frees with a plain kfree(): > > close(data socket) -> pppol2tp_release() -> pppox_unbind_sock() > -> ppp_unregister_channel() -> ppp_release_channel() -> kfree(pch) > > For a channel that is bound (PPPIOCGCHAN) but not attached to a ppp unit > (no PPPIOCCONNECT, pch->ppp == NULL) and not bridged, teardown skips > both ppp_disconnect_channel()'s synchronize_net() and > ppp_unbridge_channels()'s synchronize_rcu(), so the kfree() has no grace > period. rcu_read_lock() in pppol2tp_recv() does not protect against a > plain kfree(), so an in-flight ppp_input() on one CPU can dereference > the channel just freed by close() on another CPU. > > The bug is reachable by an unprivileged user. > > Defer the channel free to an RCU callback via call_rcu() so the grace > period fences any in-flight ppp_input(). The disconnect and unbridge > teardown paths already fence with synchronize_net()/synchronize_rcu(); > call_rcu() does the same here without stalling the close() path. > > Fixes: ee40fb2e1eb5 ("l2tp: protect sock pointer of struct pppol2tp_session with RCU") > Assisted-by: Claude:claude-opus-4-8 > Signed-off-by: Norbert Szetei > --- > v2: > - Moved skb_queue_purge() to a dedicated RCU callback to prevent leaking > skbs added by an in-flight ppp_input() during the grace period (Sebastian). > - Retained call_rcu() to avoid introducing synchronous multi-millisecond > latency into the teardown path. > v1: https://lore.kernel.org/netdev/C954A7EA-AA98-4E3C-80B5-42C34B3183A3@doyensec.com/ > > drivers/net/ppp/ppp_generic.c | 17 ++++++++++++++--- > 1 file changed, 14 insertions(+), 3 deletions(-) > > diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c > index 57c68efa5ff8..2d57de77780f 100644 > --- a/drivers/net/ppp/ppp_generic.c > +++ b/drivers/net/ppp/ppp_generic.c > @@ -184,6 +184,7 @@ struct channel { > struct list_head clist; /* link in list of channels per unit */ > spinlock_t upl; /* protects `ppp' and 'bridge' */ > struct channel __rcu *bridge; /* "bridged" ppp channel */ > + struct rcu_head rcu; /* for RCU-deferred free of the channel */ > #ifdef CONFIG_PPP_MULTILINK > u8 avail; /* flag used in multilink stuff */ > u8 had_frag; /* >= 1 fragments have been sent */ > @@ -3562,6 +3563,18 @@ ppp_disconnect_channel(struct channel *pch) > return err; > } > > +/* Purge after the grace period: a late ppp_input() may still queue an > + * skb on pch->file.rq before the last RCU reader drains. > + */ > +static void ppp_release_channel_free(struct rcu_head *rcu) > +{ > + struct channel *pch = container_of(rcu, struct channel, rcu); > + > + skb_queue_purge(&pch->file.xq); > + skb_queue_purge(&pch->file.rq); > + kfree(pch); > +} > + > /* > * Drop a reference to a ppp channel and free its memory if the refcount reaches > * zero. > @@ -3581,9 +3594,7 @@ static void ppp_release_channel(struct channel *pch) > pr_err("ppp: destroying undead channel %p !\n", pch); > return; > } > - skb_queue_purge(&pch->file.xq); > - skb_queue_purge(&pch->file.rq); > - kfree(pch); > + call_rcu(&pch->rcu, ppp_release_channel_free); > } > > static void __exit ppp_cleanup(void) Reviewed-by: Qingfang Deng FYI, I attempted to merge the two channel structs and AI-review found a UAF [1], so this patch addresses the issue. [1] https://lore.kernel.org/netdev/590d7931-02b0-45d6-8f43-ef909c9bde89@redhat.com/ Best regards, Qingfang