From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from shards.monkeyblade.net ([184.105.139.130]:45306 "EHLO shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932298AbeCDXoI (ORCPT ); Sun, 4 Mar 2018 18:44:08 -0500 Date: Sun, 04 Mar 2018 18:44:06 -0500 (EST) Message-Id: <20180304.184406.446255603611101639.davem@davemloft.net> To: g.nault@alphalink.fr Cc: netdev@vger.kernel.org, nuclearcat@nuclearcat.com, paulus@samba.org Subject: Re: [PATCH net] ppp: prevent unregistered channels from connecting to PPP units From: David Miller In-Reply-To: <61be6aa4ebd1c88955f6e910f5c91077d2040aea.1520011838.git.g.nault@alphalink.fr> References: <61be6aa4ebd1c88955f6e910f5c91077d2040aea.1520011838.git.g.nault@alphalink.fr> Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: netdev-owner@vger.kernel.org List-ID: From: Guillaume Nault Date: Fri, 2 Mar 2018 18:41:16 +0100 > PPP units don't hold any reference on the channels connected to it. > It is the channel's responsibility to ensure that it disconnects from > its unit before being destroyed. > In practice, this is ensured by ppp_unregister_channel() disconnecting > the channel from the unit before dropping a reference on the channel. > > However, it is possible for an unregistered channel to connect to a PPP > unit: register a channel with ppp_register_net_channel(), attach a > /dev/ppp file to it with ioctl(PPPIOCATTCHAN), unregister the channel > with ppp_unregister_channel() and finally connect the /dev/ppp file to > a PPP unit with ioctl(PPPIOCCONNECT). > > Once in this situation, the channel is only held by the /dev/ppp file, > which can be released at anytime and free the channel without letting > the parent PPP unit know. Then the ppp structure ends up with dangling > pointers in its ->channels list. > > Prevent this scenario by forbidding unregistered channels from > connecting to PPP units. This maintains the code logic by keeping > ppp_unregister_channel() responsible from disconnecting the channel if > necessary and avoids modification on the reference counting mechanism. > > This issue seems to predate git history (successfully reproduced on > Linux 2.6.26 and earlier PPP commits are unrelated). > > Signed-off-by: Guillaume Nault Applied and queued up for -stable, thank you.