• Guillaume Nault's avatar
    ppp: prevent unregistered channels from connecting to PPP units · eae0a9ae
    Guillaume Nault authored
    
    [ Upstream commit 77f840e3 ]
    
    PPP units don't hold any reference on the channels connected to it.
    It is the channel's responsibility to ensure that it disconnects from
    its unit before being destroyed.
    In practice, this is ensured by ppp_unregister_channel() disconnecting
    the channel from the unit before dropping a reference on the channel.
    
    However, it is possible for an unregistered channel to connect to a PPP
    unit: register a channel with ppp_register_net_channel(), attach a
    /dev/ppp file to it with ioctl(PPPIOCATTCHAN), unregister the channel
    with ppp_unregister_channel() and finally connect the /dev/ppp file to
    a PPP unit with ioctl(PPPIOCCONNECT).
    
    Once in this situation, the channel is only held by the /dev/ppp file,
    which can be released at anytime and free the channel without letting
    the parent PPP unit know. Then the ppp structure ends up with dangling
    pointers in its ->channels list.
    
    Prevent this scenario by forbidding unregistered channels from
    connecting to PPP units. This maintains the code logic by keeping
    ppp_unregister_channel() responsible from disconnecting the channel if
    necessary and avoids modification on the reference counting mechanism.
    
    This issue seems to predate git history (successfully reproduced on
    Linux 2.6.26 and earlier PPP commits are unrelated).
    Signed-off-by: default avatarGuillaume Nault <g.nault@alphalink.fr>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    eae0a9ae
ppp_generic.c 72.2 KB