On Wed, Mar 16, 2016 at 11:14:42PM +0800, Baozeng Ding wrote:
> Dear all,
> I've got the following use-after-free report while running syzkaller
> fuzzer. Unfortunately no reproducer. It was found in the Linux kernel
> version(4.4, on commit 9638685e32af961943b679fcb72d4ddd458eb18f).
>
> =
ng lock ordering between
ppp_mutex and rtnl_lock. Patch #4 does the lock inversion.
The actual infrastructure is implemented in patches #5 and #6.
Changes since v1:
- Rebase on net-next.
- Invert locking order wrt. ppp_mutex and rtnl_lock and protect
file->private_data with ppp_mut
lowing the
"ppp" prefix corresponds to the PPP unit number for ioctl based
devices, while it is just an unrelated incrementing index for rtnl
ones.
Signed-off-by: Guillaume Nault
---
drivers/net/ppp/ppp_generic.c | 143 +-
include/uapi/linux/if_l
e removed entirely from this
part of the code.
Signed-off-by: Guillaume Nault
---
drivers/net/ppp/ppp_generic.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
index c81e257..8aaedb8 100644
--- a/driver
m an rtnetlink
context.
Signed-off-by: Guillaume Nault
---
drivers/net/ppp/ppp_generic.c | 21 +
1 file changed, 13 insertions(+), 8 deletions(-)
diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
index 7329c72..c81e257 100644
--- a/drivers/net/ppp/ppp_gener
ctl()
prototype.
Signed-off-by: Guillaume Nault
---
drivers/net/ppp/ppp_generic.c | 51 +--
1 file changed, 39 insertions(+), 12 deletions(-)
diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
index ec83b83..7329c72 100644
--- a/drivers/
r will allow for pushing
ppp_mutex down when handling the PPPIOCNEWUNIT ioctl (as locking
ppp_mutex is required before setting ->private_data).
Signed-off-by: Guillaume Nault
---
drivers/net/ppp/ppp_generic.c | 47 +--
1 file changed, 23 insertions(+), 24
Move PPP device initialisation and registration out of
ppp_create_interface().
This prepares code for device registration with rtnetlink.
Signed-off-by: Guillaume Nault
---
drivers/net/ppp/ppp_generic.c | 185 --
1 file changed, 106 insertions(+), 79
.On Tue, Apr 05, 2016 at 08:27:45AM -0700, Stephen Hemminger wrote:
> On Tue, 5 Apr 2016 02:56:17 +0200
> Guillaume Nault wrote:
>
> > The rtnetlink handlers implemented in this series are minimal, and can
> > only replace the PPPIOCNEWUNIT ioctl. The rest of PPP ioctls rema
On Tue, Apr 05, 2016 at 08:28:32AM -0700, Stephen Hemminger wrote:
> On Tue, 5 Apr 2016 02:56:29 +0200
> Guillaume Nault wrote:
>
> > Move PPP device initialisation and registration out of
> > ppp_create_interface().
> > This prepares code for device registration wit
On Tue, Apr 05, 2016 at 07:18:14PM +0200, walter harms wrote:
>
>
> Am 05.04.2016 02:56, schrieb Guillaume Nault:
> > @@ -1043,12 +1048,39 @@ static int ppp_dev_configure(struct net *src_net,
> > struct net_device *dev,
> > co
On Wed, Apr 06, 2016 at 10:02:56AM +0200, walter harms wrote:
>
>
> Am 05.04.2016 23:22, schrieb Guillaume Nault:
> > On Tue, Apr 05, 2016 at 07:18:14PM +0200, walter harms wrote:
> >>
> >>
> >> Am 05.04.2016 02:56, schrieb Guillaume Nault
n Hemminger).
- Do file descriptor lookup directly in ppp_nl_newlink(), to simplify
ppp_dev_configure().
Changes since v1:
- Rebase on net-next.
- Invert locking order wrt. ppp_mutex and rtnl_lock and protect
file->private_data with ppp_mutex.
Guillaume Nault (2):
ppp: define
based PPP
interfaces: in the device name, the number following the "ppp" prefix
corresponds to the PPP unit number for ioctl based devices, while it is
just an unrelated incrementing index for rtnl ones.
Signed-off-by: Guillaume Nault
---
drivers/net/ppp
need to return a ppp structure to ppp_unattached_ioctl()
anymore.
* The unit parameter is made read/write so that ppp_create_interface()
can tell which unit number has been assigned.
Signed-off-by: Guillaume Nault
---
drivers/net/ppp/ppp_generic
Stephen Hemminger).
- Do file descriptor lookup directly in ppp_nl_newlink(), to simplify
ppp_dev_configure().
Changes since v1:
- Rebase on net-next.
- Invert locking order wrt. ppp_mutex and rtnl_lock and protect
file->private_data with ppp_mutex.
Guillaume Nault (2):
ppp: d
need to return a ppp structure to ppp_unattached_ioctl()
anymore.
* The unit parameter is made read/write so that ppp_create_interface()
can tell which unit number has been assigned.
Signed-off-by: Guillaume Nault
---
drivers/net/ppp/ppp_generic
based PPP
interfaces: in the device name, the number following the "ppp" prefix
corresponds to the PPP unit number for ioctl based devices, while it is
just an unrelated incrementing index for rtnl ones.
Signed-off-by: Guillaume Nault
---
drivers/net/ppp
On Thu, Jun 01, 2017 at 09:49:18AM +0800, gfree.w...@vip.163.com wrote:
> From: Gao Feng
>
> Since the commit 55454a565836 ("ppp: avoid dealock on recursive xmit"),
> the PPP xmit path is protected by wrapper functions which disable the
> bh already. So it is unnecessary to disable the bh again i
y to disable the bh again in the real
> xmit path.
>
Thanks!
Acked-by: Guillaume Nault
--
To unsubscribe from this list: send the line "unsubscribe linux-ppp" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
annel_push() execution. This respects the ppp locks ordering
which requires locking ->upl before ->downl.
Fixes: e5dadc65f9e0 ("ppp: Fix false xmit recursion detect with two ppp
devices")
Signed-off-by: Guillaume Nault
---
drivers/net/ppp/ppp_generic.c | 18 ++
1
On Tue, Aug 08, 2017 at 09:16:33PM +0800, Gao Feng wrote:
> At 2017-08-08 17:43:24, "Guillaume Nault" wrote:
> >--- a/drivers/net/ppp/ppp_generic.c
> >+++ b/drivers/net/ppp/ppp_generic.c
> >@@ -1915,21 +1915,23 @@ static void __ppp_channel_push(struct channel *pch)
On Tue, Oct 03, 2017 at 09:44:14AM +0200, Beniamino Galvani wrote:
> Call Trace:
> ppp_destroy_interface+0xd8/0xe0 [ppp_generic]
> ppp_disconnect_channel+0xda/0x110 [ppp_generic]
> ppp_unregister_channel+0x5e/0x110 [ppp_generic]
> pppox_unbind_sock+0x23/0x30 [pppox]
> pppoe_connect+0x130
On Tue, Oct 03, 2017 at 06:40:03PM +0200, Guillaume Nault wrote:
> On Tue, Oct 03, 2017 at 09:44:14AM +0200, Beniamino Galvani wrote:
> > Call Trace:
> > ppp_destroy_interface+0xd8/0xe0 [ppp_generic]
> > ppp_disconnect_channel+0xda/0x110 [ppp_generic]
> > ppp_un
On Fri, Oct 06, 2017 at 10:09:03AM +0200, Beniamino Galvani wrote:
> On Thu, Oct 05, 2017 at 04:55:03PM +0200, Guillaume Nault wrote:
> > Sorry for the delay, I've followed a few complicated dead ends before
> > getting to this simple and rather obvious fix.
> >
r ppp_release() nor
ppp_disconnect_channel() can call ppp_destroy_interface() in the interim.
Reported-by: Beniamino Galvani
Fixes: 8cb775bc0a34 ("ppp: fix device unregistration upon netns deletion")
Signed-off-by: Guillaume Nault
---
drivers/net/ppp/ppp_generic.c | 20 +++
_generic.c
> @@ -960,6 +960,7 @@ static __net_exit void ppp_exit_net(struct net *net)
> unregister_netdevice_many(&list);
> rtnl_unlock();
>
> + mutex_destroy(&pn->all_ppp_mutex);
> idr_destroy(&pn->units_idr);
> }
>
Acked-by: Guil
On Wed, Jan 03, 2018 at 10:58:01PM -0800, syzbot wrote:
> Hello,
>
>
> WARNING: possible recursive locking detected
> 4.15.0-rc6-next-20180103+ #87 Not tainted
>
> syzkaller221540/3462 is trying to acquire lo
On Fri, Jan 05, 2018 at 07:15:31PM +0100, Guillaume Nault wrote:
> That's probably worth a test anyway.
>
Copy/paste error :-/
Here's a version that should apply cleanly.
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git master
8<
diff
On Wed, Apr 04, 2018 at 04:21:25PM +0530, Tejaswi Tanikella wrote:
> On receiving a packet the state index points to the rstate which must be
> used to fill up IP and TCP headers. But if the state index points to a
> rstate which is unitialized, i.e. filled with zeros, it gets stuck in an
> infinit
On Sun, May 13, 2018 at 11:11:55PM -0700, Eric Biggers wrote:
> [+ppp list and maintainer]
>
> This is a bug in ppp_generic.c; it still happens on Linus' tree and it's
> easily
> reproducible, see program below. The bug is that the PPPIOCDETACH ioctl
> doesn't
> consider that the file can still
On Tue, May 22, 2018 at 08:29:58PM -0700, Eric Biggers wrote:
> On Fri, May 18, 2018 at 06:02:23PM +0200, Guillaume Nault wrote:
> > On Sun, May 13, 2018 at 11:11:55PM -0700, Eric Biggers wrote:
> > > [+ppp list and maintainer]
> > >
> > > This is a bug in ppp_
On Tue, May 22, 2018 at 08:59:52PM -0700, Eric Biggers wrote:
> From: Eric Biggers
>
> The PPPIOCDETACH ioctl effectively tries to "close" the given ppp file
> before f_count has reached 0, which is fundamentally a bad idea. It
> does check 'f_count < 2', which excludes concurrent operations on
lf.
Using a 'PATCH net' subject prefix would have made it clear that this
patch was fixing some released code and should be considered for -stable
backport.
Reviewed-by: Guillaume Nault
Tested-by: Guillaume Nault
--
To unsubscribe from this list: send the line "unsubscribe linux-ppp" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
should probably have removed this ioctl entirely instead of fixing it.
Clearly, it has never been used.
If you think it's worth fixing (as opposed to dropping this ioctl or
its compat mode), then,
Acked-by: Guillaume Nault
plementation I could come up with was to merge
> the compat handling into the regular ppp_ioctl() function and
> treating all ioctl commands as compatible.
>
Acked-by: Guillaume Nault
do
> it in the regular ioctl handler, by allowing both structure layouts to
> be handled directly there.
>
Acked-by: Guillaume Nault
On Wed, Aug 29, 2018 at 04:03:30PM +0200, Arnd Bergmann wrote:
> The ppp_idle structure is defined in terms of __kernel_time_t, which is
> defined as 'long' on all architectures, and this usage is not affected
> by the y2038 problem since it transports a time interval rather than an
> absolute time
On Thu, Aug 30, 2018 at 01:54:48PM +0200, Arnd Bergmann wrote:
> On Thu, Aug 30, 2018 at 1:04 PM Guillaume Nault wrote:
> >
> > On Wed, Aug 29, 2018 at 04:03:26PM +0200, Arnd Bergmann wrote:
> > > Support for handling the PPPOEIOCSFWD ioctl in compat mode was added in
On Wed, Oct 31, 2018 at 06:46:16AM -0400, Kyungtae Kim wrote:
> We report a crash in v4.19-rc2 (and the latest kernel as well):
>
> kernel config: https://kt0755.github.io/etc/config_v2-4.19
> repro: https://kt0755.github.io/etc/repro.1e3e9.c
>
> unit_set() lacks the bounds checking for an intege
On Sat, Sep 14, 2019 at 01:09:58PM +0900, Takeshi Misawa wrote:
> When ppp is closing, __ppp_xmit_process() failed to enqueue skb
> and skb allocated in ppp_write() is leaked.
>
> syzbot reported :
> BUG: memory leak
> unreferenced object 0x88812a17bc00 (size 224):
> comm "syz-executor673",
41 matches
Mail list logo
