Commit 5028e6c9 authored by Guillaume Nault's avatar Guillaume Nault Committed by Greg Kroah-Hartman

ppp: fix xmit recursion detection on ppp channels


[ Upstream commit 0a0e1a85 ]

Commit e5dadc65 ("ppp: Fix false xmit recursion detect with two ppp
devices") dropped the xmit_recursion counter incrementation in
ppp_channel_push() and relied on ppp_xmit_process() for this task.
But __ppp_channel_push() can also send packets directly (using the
.start_xmit() channel callback), in which case the xmit_recursion
counter isn't incremented anymore. If such packets get routed back to
the parent ppp unit, ppp_xmit_process() won't notice the recursion and
will call ppp_channel_push() on the same channel, effectively creating
the deadlock situation that the xmit_recursion mechanism was supposed
to prevent.

This patch re-introduces the xmit_recursion counter incrementation in
ppp_channel_push(). Since the xmit_recursion variable is now part of
the parent ppp unit, incrementation is skipped if the channel doesn't
have any. This is fine because only packets routed through the parent
unit may enter the channel recursively.

Finally, we have to ensure that pch->ppp is not going to be modified
while executing ppp_channel_push(). Instead of taking this lock only
while calling ppp_xmit_process(), we now have to hold it for the full
ppp_channel_push() execution. This respects the ppp locks ordering
which requires locking ->upl before ->downl.

Fixes: e5dadc65 ("ppp: Fix false xmit recursion detect with two ppp devices")
Signed-off-by: default avatarGuillaume Nault <g.nault@alphalink.fr>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 67410cd2
...@@ -1913,21 +1913,23 @@ static void __ppp_channel_push(struct channel *pch) ...@@ -1913,21 +1913,23 @@ static void __ppp_channel_push(struct channel *pch)
spin_unlock_bh(&pch->downl); spin_unlock_bh(&pch->downl);
/* see if there is anything from the attached unit to be sent */ /* see if there is anything from the attached unit to be sent */
if (skb_queue_empty(&pch->file.xq)) { if (skb_queue_empty(&pch->file.xq)) {
read_lock_bh(&pch->upl);
ppp = pch->ppp; ppp = pch->ppp;
if (ppp) if (ppp)
ppp_xmit_process(ppp); __ppp_xmit_process(ppp);
read_unlock_bh(&pch->upl);
} }
} }
static void ppp_channel_push(struct channel *pch) static void ppp_channel_push(struct channel *pch)
{ {
local_bh_disable(); read_lock_bh(&pch->upl);
if (pch->ppp) {
(*this_cpu_ptr(pch->ppp->xmit_recursion))++;
__ppp_channel_push(pch); __ppp_channel_push(pch);
(*this_cpu_ptr(pch->ppp->xmit_recursion))--;
local_bh_enable(); } else {
__ppp_channel_push(pch);
}
read_unlock_bh(&pch->upl);
} }
/* /*
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment