Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

pppoe: disc: document who holds references to the net object #141

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

laarmen
Copy link
Contributor

@laarmen laarmen commented Jun 23, 2020

REVISED PATCH

While working on another patch, I had a bug that seemed to be related
to a use-after-free on the net structure, leading to a faulty patch
removing the disc_stop refcount decrement, as I missed that the init_net
function initialized the refcount to 1 and not 0. The bug was in my
code.

This patch adds simple comments the reference handling to make it a bit
more obvious what is going on.

INITIAL VERSION

pppoe: disc: do not free the net struct in disc_stop

Assuming there is only one server associated with the current net
object, freeing the net object at the end of disc_stop could potentially
create a use-after-free error since before that, we queued an
asynchronous call to _serv_stop, which in turn calls pppoe_disc_stop.

Since pppoe_disc_stop acquires a pointer to the net object at the
beginning of its run, and uses it all throughout as part of its locking,
having free_net running alongside could result in the memory backing the
lock being freed while the code is running.

While working on another patch, I had a bug that *seemed* to be related
to a use-after-free on the net structure, leading to a faulty patch
removing the disc_stop refcount decrement, as I missed that the init_net
function initialized the refcount to 1 and not 0. The bug was in my
code.

This patch adds simple comments the reference handling to make it a bit
more obvious what is going on.

Signed-off-by: Simon Chopin <s.chopin@alphalink.fr>
@laarmen
Copy link
Contributor Author

laarmen commented Jul 17, 2020

OK, this patch is actually wrong. I'll replace it with a patch that only adds comments and edit the title and description. Feel free to directly close the PR if you think them superfluous.

@laarmen laarmen force-pushed the pppoe_use_after_free branch from 0a99b9a to 7923b91 Compare July 17, 2020 09:04
@laarmen laarmen changed the title pppoe: disc: do not free the net struct in disc_stop pppoe: disc: document who holds references to the net object Jul 17, 2020
@Neustradamus
Copy link

Dear @laarmen,

Can you open a PR at "good" place:

Thanks in advance.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants