Thanks for the report!
On Thu, Mar 11, 2021 at 20:34:44 +0800, lyl2019@xxxxxxxxxxxxxxxx wrote:
> File: drivers/net/ppp/ppp_generic.c
>
> In ppp_unregister_channel, pch could be freed in ppp_unbridge_channels()
> but after that pch is still in use. Inside the function ppp_unbridge_channels,
> if "pchbb == pch" is true and then pch will be freed.
Do you have a way to reproduce a use-after-free scenario?
From static analysis I'm not sure how pch would be freed in
ppp_unbridge_channels when called via. ppp_unregister_channel.
In theory (at least!) the caller of ppp_register_net_channel holds
a reference on struct channel which ppp_unregister_channel drops.
Each channel in a bridged pair holds a reference on the other.
Hence on return from ppp_unbridge_channels, the channel should not have
been freed (in this code path) because the ppp_register_net_channel
reference has not yet been dropped.
Maybe there is an issue with the reference counting or a race of some
sort?
> I checked the commit history and found that this problem is introduced from
> 4cf476ced45d7 ("ppp: add PPPIOCBRIDGECHAN and PPPIOCUNBRIDGECHAN ioctls").
>
> I have no idea about how to generate a suitable patch, sorry.
Attachment:
signature.asc
Description: PGP signature
