From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 976722DB7B8 for ; Fri, 3 Jul 2026 16:05:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783094740; cv=none; b=kLNTtHmKBxUReMrYTZOpBMvkyz0x3t3lM8JjPtmsJ0IwJhw8wya4BZQ79Wv2OGi0FUZNNCzA/xj5S/BOwbxsl/x90n5VqoOBnWTrK5Lx8ZXrVBK9iz5cKHZP4ADYVT6/eW8Py+PPcwpmLARSnGeHV84R090aBytbcQNLetJBRN0= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783094740; c=relaxed/simple; bh=R8raQapqEko/nHjRDyj7SDbekaWrkygAAaKPhvpequc=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=QTEU9a57khMuTku8x2CRA6QiM15qLFvyAAbMHan2A4YNV1fdS+xyntlHvQmOsWQDmpRIbKApHTciQmfihxV91FL2yWuilZoz/qB3DtfCh043ltZ73ptuwpiUx0uaO9458nj6bXa55cjGTgYMBEJWYndPMzfL5cdFIAya8yu2NJc= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=cwqCy9mi; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b=KtnBpCSm; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="cwqCy9mi"; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b="KtnBpCSm" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1783094731; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=ExsD+fY9tpTLOuyb4+ACzKrp5pskUXTbgMDg8wamdvY=; b=cwqCy9miOPRPJYLx9SGnxUqfkr0aYJ79AeLc9Fgd/lwXHbAg7KXElI5FZmoy3zTeT6N3qD BJCyD8ZEr9ACXaV4YMp11ETovW7U6IuFPWRjYVltGMsox39xH0+39UPEIYiHk6jnjuvsTo Q5poBjmVDzn/NkCTkIheatz/gb4gCF8= Received: from mail-wr1-f72.google.com (mail-wr1-f72.google.com [209.85.221.72]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-352-t8AbQWEbPe2P6S91_B4ndQ-1; Fri, 03 Jul 2026 12:05:30 -0400 X-MC-Unique: t8AbQWEbPe2P6S91_B4ndQ-1 X-Mimecast-MFC-AGG-ID: t8AbQWEbPe2P6S91_B4ndQ_1783094729 Received: by mail-wr1-f72.google.com with SMTP id ffacd0b85a97d-4784d0fb9cfso472422f8f.2 for ; Fri, 03 Jul 2026 09:05:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=google; t=1783094729; x=1783699529; darn=vger.kernel.org; h=in-reply-to:content-disposition:content-type:mime-version :references:message-id:subject:cc:to:from:date:from:to:cc:subject :date:message-id:reply-to:content-type; bh=ExsD+fY9tpTLOuyb4+ACzKrp5pskUXTbgMDg8wamdvY=; b=KtnBpCSmklnpDGyMyURykx1l+ZI6tPdy2UWu9skO+usEEXISEOb4e6KCd3NoeTUMB1 sENKvVBFp6qXjYuk4xXiwmLoEGz93z8LQYWg3YyEVrC3r6dudi81k23u25b46fdDttNK sL+8GfHj4TKUBsP5mI3CZ32wt7M16ks5qr/VgSiTD1kst7ki6MPrYl8snT4+UhbhiUWU QJaxnSjQJtayRk7y2ub54G4SMBr57WNMxZF7HBvQMLbZCzTMBeozDOsHnsovAR6x9DNf sQci4vgYS6MjoVCdfR83y1z/mcNKd5qS0Kyd8U9UbMp5Hun/y1yhPT8HINQfV2sPEbZi CDdQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1783094729; x=1783699529; h=in-reply-to:content-disposition:content-type:mime-version :references:message-id:subject:cc:to:from:date:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to :content-type; bh=ExsD+fY9tpTLOuyb4+ACzKrp5pskUXTbgMDg8wamdvY=; b=Mn1yhZKiTv9Bti0C8j6dmrS+e/OlCQ+cABnesV9CW11JNQcFkikkvDadNV9tcLbO/V uDp+bmkwA7JLSHBlarPAy6WpPNo/oZ6XeqkakaaV0HcWMTjf3t19Rf7mMDowKI1ie9gZ ya95genshEQFErdpszS0BNar4ZORhw/d0xegSamPyXA97OqFsYA2vSMD54LFeOZ8Xef1 UVUEEojjpCCSDSVEBZaimi+RI9StQykjelwiuij5ffWhNt4byNUl1KLT7y8t1MOuaPu2 LhdXFuAL+xvjJIkl6DwrXQd0JH6Y/2Dbl+PQv/Vl+fec5dxggSLZpKBWXaWvd/ttftsJ uWQQ== X-Forwarded-Encrypted: i=1; AHgh+Rr+VXbDFOE/IQKc3EZ/K53cMp2d3ULihPBFGjLp5ZTfW0mVLXtvNIsnTvXjZpC3s1cGoXV0fLwluZUI+jY=@vger.kernel.org X-Gm-Message-State: AOJu0YwTyISPj+pSeq43T96CSVbO6zqlWeAHxdiv38ChEE+A2QS/wREx X25XPjSjZYrtrNjVQBKfAm7R2KlBt9za+wogJePrtTvWtTVUM4rQ9JT86c0TolHzz8Zw1TsJKuy hQYQlormhpySCPT/YOx9sCqylvAiMr6siQriFAxkQJ6nkUDA9CDj6M/bM7L0sliSsar2/7GmdQJ Iw X-Gm-Gg: AfdE7clPjtnJCSJT7UngqPl/S0KMgi5U0ze+XFPinwgeIJ05TGgbV3Ywe5KmxGV38sN /tAzwpUBLxj3LHVarByzrWC5GijESYNR+0UeCD9yxaMUmogZXTnTQXyywhEvE83rwtzLlqKfIxk vJHJjNTx0nVqnajhbssspdED28BnT7fzCM8iVeFFZl6TXAKDyc9aiBtQCluKjKdAANIW4D418/H aFwlhMCwUVrsC3FLf/z4winsSByieh605mR5k8VMKnW2CiArUN/TZBh57iNj2hr5SAQHEh2xNXn tHdBToZj/RqcwPCLfgdBrOxYN2Ov5Q1wX+/yEoafAd7CFeDjO7bTviKcVyHiQJBRMWv7Lm8Ld7l lOlbrD59KbnUN/DbnH6bT29qg6HQxz3Vz+FlqMQHXEQfLTHzPf0zo8AQp2jTWaS2bHg== X-Received: by 2002:a5d:50ca:0:b0:475:f0f0:9ed2 with SMTP id ffacd0b85a97d-477b601c4d1mr12059265f8f.61.1783094728607; Fri, 03 Jul 2026 09:05:28 -0700 (PDT) X-Received: by 2002:a5d:50ca:0:b0:475:f0f0:9ed2 with SMTP id ffacd0b85a97d-477b601c4d1mr12059222f8f.61.1783094728239; Fri, 03 Jul 2026 09:05:28 -0700 (PDT) Received: from debian (2a01cb05923c9a00ac64493857fc411e.ipv6.abo.wanadoo.fr. [2a01:cb05:923c:9a00:ac64:4938:57fc:411e]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-47a9de1e6ccsm381813f8f.5.2026.07.03.09.05.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Jul 2026 09:05:27 -0700 (PDT) Date: Fri, 3 Jul 2026 18:05:24 +0200 From: Guillaume Nault To: Qingfang Deng Cc: Norbert Szetei , Andrew Lunn , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Sebastian Andrzej Siewior , Breno Leitao , Taegu Ha , Kees Cook , linux-ppp@vger.kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org Subject: Re: [PATCH net v2] ppp: defer channel free to an RCU grace period to fix pppol2tp RX UAF Message-ID: References: <166370f4-0b8c-4af4-9fb7-6967828a99bc@linux.dev> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <166370f4-0b8c-4af4-9fb7-6967828a99bc@linux.dev> On Thu, Jul 02, 2026 at 04:19:02PM +0800, Qingfang Deng wrote: > Add: Guillaume > > On 2026/7/2 at 2:12, Norbert Szetei wrote: > > pppol2tp_recv() runs in the L2TP UDP-encap softirq RX path: > > > > l2tp_udp_encap_recv() -> l2tp_recv_common() -> pppol2tp_recv() > > -> ppp_input(&po->chan) Hi Qingfang, Thanks for Cc-ing me. I haven't had time to look at this problem yet, and I'll be offline next week. So not sure if I'll get the possibility to provide any feedback to this patch in time. > > It runs under rcu_read_lock() holding only an l2tp_session reference and > > takes NO reference on the internal PPP channel (struct channel, > > chan->ppp) that ppp_input() dereferences. > > > > The pppox socket is SOCK_RCU_FREE, so 'po' and the embedded ppp_channel > > are RCU-safe. But the internal struct channel is a separate allocation > > that ppp_release_channel() frees with a plain kfree(): > > > > close(data socket) -> pppol2tp_release() -> pppox_unbind_sock() > > -> ppp_unregister_channel() -> ppp_release_channel() -> kfree(pch) > > > > For a channel that is bound (PPPIOCGCHAN) but not attached to a ppp unit > > (no PPPIOCCONNECT, pch->ppp == NULL) and not bridged, teardown skips > > both ppp_disconnect_channel()'s synchronize_net() and > > ppp_unbridge_channels()'s synchronize_rcu(), so the kfree() has no grace > > period. rcu_read_lock() in pppol2tp_recv() does not protect against a > > plain kfree(), so an in-flight ppp_input() on one CPU can dereference > > the channel just freed by close() on another CPU. > > > > The bug is reachable by an unprivileged user. > > > > Defer the channel free to an RCU callback via call_rcu() so the grace > > period fences any in-flight ppp_input(). The disconnect and unbridge > > teardown paths already fence with synchronize_net()/synchronize_rcu(); > > call_rcu() does the same here without stalling the close() path. > > > > Fixes: ee40fb2e1eb5 ("l2tp: protect sock pointer of struct pppol2tp_session with RCU") > > Assisted-by: Claude:claude-opus-4-8 > > Signed-off-by: Norbert Szetei > > --- > > v2: > > - Moved skb_queue_purge() to a dedicated RCU callback to prevent leaking > > skbs added by an in-flight ppp_input() during the grace period (Sebastian). > > - Retained call_rcu() to avoid introducing synchronous multi-millisecond > > latency into the teardown path. > > v1: https://lore.kernel.org/netdev/C954A7EA-AA98-4E3C-80B5-42C34B3183A3@doyensec.com/ > > > > drivers/net/ppp/ppp_generic.c | 17 ++++++++++++++--- > > 1 file changed, 14 insertions(+), 3 deletions(-) > > > > diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c > > index 57c68efa5ff8..2d57de77780f 100644 > > --- a/drivers/net/ppp/ppp_generic.c > > +++ b/drivers/net/ppp/ppp_generic.c > > @@ -184,6 +184,7 @@ struct channel { > > struct list_head clist; /* link in list of channels per unit */ > > spinlock_t upl; /* protects `ppp' and 'bridge' */ > > struct channel __rcu *bridge; /* "bridged" ppp channel */ > > + struct rcu_head rcu; /* for RCU-deferred free of the channel */ > > #ifdef CONFIG_PPP_MULTILINK > > u8 avail; /* flag used in multilink stuff */ > > u8 had_frag; /* >= 1 fragments have been sent */ > > @@ -3562,6 +3563,18 @@ ppp_disconnect_channel(struct channel *pch) > > return err; > > } > > +/* Purge after the grace period: a late ppp_input() may still queue an > > + * skb on pch->file.rq before the last RCU reader drains. > > + */ > > +static void ppp_release_channel_free(struct rcu_head *rcu) > > +{ > > + struct channel *pch = container_of(rcu, struct channel, rcu); > > + > > + skb_queue_purge(&pch->file.xq); > > + skb_queue_purge(&pch->file.rq); > > + kfree(pch); > > +} > > + > > /* > > * Drop a reference to a ppp channel and free its memory if the refcount reaches > > * zero. > > @@ -3581,9 +3594,7 @@ static void ppp_release_channel(struct channel *pch) > > pr_err("ppp: destroying undead channel %p !\n", pch); > > return; > > } > > - skb_queue_purge(&pch->file.xq); > > - skb_queue_purge(&pch->file.rq); > > - kfree(pch); > > + call_rcu(&pch->rcu, ppp_release_channel_free); > > } > > static void __exit ppp_cleanup(void) > > Reviewed-by: Qingfang Deng > > FYI, I attempted to merge the two channel structs and AI-review found a UAF > [1], so this patch addresses the issue. > > [1] https://lore.kernel.org/netdev/590d7931-02b0-45d6-8f43-ef909c9bde89@redhat.com/ > > Best regards, > > Qingfang > >