diff options
| author |   Tom Parkin <tparkin@katalix.com> | 2021-01-07 18:13:15 +0000 |
|---|---|---|
| committer |   Jakub Kicinski <kuba@kernel.org> | 2021-01-08 19:21:06 -0800 |
| commit | c1787ffd0d24eb93eefac2dbba0eac5700da9ff1 (patch) | |
| tree | 94c6123b8703bfcd561b99bfceaadff453e38b5a /tools/testing/selftests/netfilter | |
| parent | udp: Prevent reuseport_select_sock from reading uninitialized socks (diff) | |
| download | linux-dev-c1787ffd0d24eb93eefac2dbba0eac5700da9ff1.tar.xz linux-dev-c1787ffd0d24eb93eefac2dbba0eac5700da9ff1.zip | |
ppp: fix refcount underflow on channel unbridge
When setting up a channel bridge, ppp_bridge_channels sets the
pch->bridge field before taking the associated reference on the bridge
file instance.
This opens up a refcount underflow bug if ppp_bridge_channels called
via. iotcl runs concurrently with ppp_unbridge_channels executing via.
file release.
The bug is triggered by ppp_bridge_channels taking the error path
through the 'err_unset' label. In this scenario, pch->bridge is set,
but the reference on the bridged channel will not be taken because
the function errors out. If ppp_unbridge_channels observes pch->bridge
before it is unset by the error path, it will erroneously drop the
reference on the bridged channel and cause a refcount underflow.
To avoid this, ensure that ppp_bridge_channels holds a reference on
each channel in advance of setting the bridge pointers.
Signed-off-by: Tom Parkin <tparkin@katalix.com>
Fixes: 4cf476ced45d ("ppp: add PPPIOCBRIDGECHAN and PPPIOCUNBRIDGECHAN ioctls")
Acked-by: Guillaume Nault <gnault@redhat.com>
Link: https://lore.kernel.org/r/20210107181315.3128-1-tparkin@katalix.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Diffstat (limited to 'tools/testing/selftests/netfilter')
0 files changed, 0 insertions, 0 deletions