lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Wed, 7 Oct 2015 12:32:51 +0200
From:	Guillaume Nault <g.nault@...halink.fr>
To:	Matt Bennett <Matt.Bennett@...iedtelesis.co.nz>
Cc:	"core@....lg.ua" <core@....lg.ua>,
	"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
	"davem@...emloft.net" <davem@...emloft.net>,
	"paulus@...ba.org" <paulus@...ba.org>,
	"nuclearcat@...learcat.com" <nuclearcat@...learcat.com>
Subject: Re: [PATCH net] ppp: don't override sk->sk_state in pppoe_flush_dev()

On Tue, Oct 06, 2015 at 09:12:18PM +0000, Matt Bennett wrote:
> On Tue, 2015-10-06 at 11:46 +0200, Guillaume Nault wrote:
> > On Tue, Oct 06, 2015 at 04:46:04AM +0000, Matt Bennett wrote:
> > > I don't know why the code isn't like the following anyway.
> > > 
> > > -if (sk->sk_state & (PPPOX_CONNECTED | PPPOX_BOUND | PPPOX_ZOMBIE)) {
> > > +if (po->pppoe_dev) {
> > > 	dev_put(po->pppoe_dev);
> > > 	po->pppoe_dev = NULL;
> > > }
> > I was thinking about that same approach. pppoe_release() is the only
> > function making that assumption. Other parts of the code seem to only
> > require that PPPOX_CONNECTED => pppoe_dev != NULL.
> > 
> > But I think the original condition was valid. Adding PPPOX_ZOMBIE into
> > the test and resetting pppoe_dev upon reception of PADT have changed the
> > relationship between sk_state and pppoe_dev, which is where the problem
> > stands.
> Yes originally the condition was valid. But I think the issue is plain
> to see when you look at the comment beside PPPOX_ZOMBIE declared in the
> enum.
> 
>  PPPOX_ZOMBIE	= 8,  /* dead, but still bound to ppp device */
> 
> We have seen in the situation we have described previously that we can
> be in this state without being bound to the ppp device.
> 
> In my opinion the entire logic around
> pppoe_disc_rcv()/pppoe_unbind_sock_work() looks wrong and I agree we
> should do what you suggested a few emails back.
> 
> i.e in pppoe_disc_rcv():
> 
> if (po) {
> 		struct sock *sk = sk_pppox(po);
> 
> -		bh_lock_sock(sk);
> -
> -		/* If the user has locked the socket, just ignore
> -		 * the packet.  With the way two rcv protocols hook into
> -		 * one socket family type, we cannot (easily) distinguish
> -		 * what kind of SKB it is during backlog rcv.
> -		 */
> -		if (sock_owned_by_user(sk) == 0) {
> -			/* We're no longer connect at the PPPOE layer,
> -			 * and must wait for ppp channel to disconnect us.
> -			 */
> -			sk->sk_state = PPPOX_ZOMBIE;
> -		}
> -
> -		bh_unlock_sock(sk);
> 		if (!schedule_work(&po->proto.pppoe.padt_work))
> 			sock_put(sk);
> 	}
> 
Yes, with the introduction of pppoe_unbind_sock_work(), setting
PPPOX_ZOMBIE shouldn't be required anymore.

> Subsequently the PPPOX_ZOMBIE state can be completely removed?
> 
Yes, this is the last place where PPPOX_ZOMBIE can be set.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists