On Fri, Mar 12, 2021 at 10:12:58AM +0000, Tom Parkin wrote: > Thanks for the report! > > On Thu, Mar 11, 2021 at 20:34:44 +0800, lyl2019@xxxxxxxxxxxxxxxx wrote: > > File: drivers/net/ppp/ppp_generic.c > > > > In ppp_unregister_channel, pch could be freed in ppp_unbridge_channels() > > but after that pch is still in use. Inside the function ppp_unbridge_channels, > > if "pchbb == pch" is true and then pch will be freed. > > Do you have a way to reproduce a use-after-free scenario? > > From static analysis I'm not sure how pch would be freed in > ppp_unbridge_channels when called via. ppp_unregister_channel. > > In theory (at least!) the caller of ppp_register_net_channel holds > a reference on struct channel which ppp_unregister_channel drops. Agreed: ppp_unregister_channel() is going to drop a refcount from pch in any case. So holding a refcount on pch is a hard requirement for any caller of ppp_unregister_channel(), regardless of the channel bridging code. To lyl2019: Note that this refcount is (unsurprisingly) held by calling ppp_register_net_channel().
