From: Guillaume Nault <g.na...@alphalink.fr> Date: Fri, 2 Mar 2018 18:41:16 +0100
> PPP units don't hold any reference on the channels connected to it. > It is the channel's responsibility to ensure that it disconnects from > its unit before being destroyed. > In practice, this is ensured by ppp_unregister_channel() disconnecting > the channel from the unit before dropping a reference on the channel. > > However, it is possible for an unregistered channel to connect to a PPP > unit: register a channel with ppp_register_net_channel(), attach a > /dev/ppp file to it with ioctl(PPPIOCATTCHAN), unregister the channel > with ppp_unregister_channel() and finally connect the /dev/ppp file to > a PPP unit with ioctl(PPPIOCCONNECT). > > Once in this situation, the channel is only held by the /dev/ppp file, > which can be released at anytime and free the channel without letting > the parent PPP unit know. Then the ppp structure ends up with dangling > pointers in its ->channels list. > > Prevent this scenario by forbidding unregistered channels from > connecting to PPP units. This maintains the code logic by keeping > ppp_unregister_channel() responsible from disconnecting the channel if > necessary and avoids modification on the reference counting mechanism. > > This issue seems to predate git history (successfully reproduced on > Linux 2.6.26 and earlier PPP commits are unrelated). > > Signed-off-by: Guillaume Nault <g.na...@alphalink.fr> Applied and queued up for -stable, thank you.
