Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp4689298imm;
        Fri, 18 May 2018 09:03:37 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZo2Nn404sSRbVTOtDlGOmmbTFJTpXNdlRbVdUmBNo8n8EHAI/d5Zd/fCyYlsClFIMLWavok
X-Received: by 2002:a63:7c01:: with SMTP id x1-v6mr7948776pgc.286.1526659417407;
        Fri, 18 May 2018 09:03:37 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1526659417; cv=none;
        d=google.com; s=arc-20160816;
        b=kLrVqPlpXQvsh0eSJkKGyuw9G/JkpL3k1VBt3fFZVPah7jKpX3vX/N8Q5l4/uZ/dPV
         eyAlJ/fZ50LeUCo6I3xUrkPhoe6HXKU70XW/3oxT13tAc5uEISavj/GlYJd7bPIHycqO
         iJz4QSbchHxHgXC2xtpFbXU9l02VTtVbijEM10jEtYmzNg3MJNrl+eWYiFWjwBVKChVV
         6Qf/XdrZ7lYomzvUsV+4zC9GFIEQlYLpesxaR76Fr+C2ZoyOrRgsEg8iXovfl7JnB0zd
         jaOnCSfVSqAyn1FPQAWAz4dwiZ02pJ8ZJcwfVGFUSeSB4za0jZ7E7np19RE8rJ+lxZPY
         gwGg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:arc-authentication-results;
        bh=3Sf5om+It61OYfbJ+NL3nS8DgL/8DTSNRVbHysqGnNE=;
        b=vy3tIp2MSLgVTzK/nJXPHKiAn1WD3kbfehGVcycabf1PUjd/g9Evm3PTef7ac4sOxu
         NqdDlSQctdiz61WjhtP2Nn/ap/4NkY1fUUlOHuf9BbOTEfWbdBuZdi7qDL6qnVDF+mcj
         ORyqiVdX/ImvZsOwkU9L05oS4PiN9sPnmxdbyUgM7lIFXAHy0DLA88SnNaNzgsNmp9kd
         +YsyE+p4rwrSH4mDiZn/DnmxluW/9mojoZBra8A9HqNhHeMHAInIhrmpOjJwYItL35UG
         O7mqFROpX13xm/l1x7ZlCwjeJXIMf32CeRq/k4NBISYNogzUDiZKpnAKSa75F+atK5yL
         iDlQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id v80-v6si7963008pfa.173.2018.05.18.09.03.21;
        Fri, 18 May 2018 09:03:37 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752550AbeERQCc (ORCPT <rfc822;mohamedabbas.us@gmail.com>
        + 99 others); Fri, 18 May 2018 12:02:32 -0400
Received: from zimbra.alphalink.fr ([217.15.80.77]:56239 "EHLO
        zimbra.alphalink.fr" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752503AbeERQC1 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 18 May 2018 12:02:27 -0400
Received: from localhost (localhost [127.0.0.1])
        by mail-2-cbv2.admin.alphalink.fr (Postfix) with ESMTP id 485E62B52097;
        Fri, 18 May 2018 18:02:25 +0200 (CEST)
Received: from zimbra.alphalink.fr ([127.0.0.1])
        by localhost (mail-2-cbv2.admin.alphalink.fr [127.0.0.1]) (amavisd-new, port 10032)
        with ESMTP id 6Jri3PlUJwEE; Fri, 18 May 2018 18:02:24 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
        by mail-2-cbv2.admin.alphalink.fr (Postfix) with ESMTP id ED4DB2B520B2;
        Fri, 18 May 2018 18:02:23 +0200 (CEST)
X-Virus-Scanned: amavisd-new at mail-2-cbv2.admin.alphalink.fr
Received: from zimbra.alphalink.fr ([127.0.0.1])
        by localhost (mail-2-cbv2.admin.alphalink.fr [127.0.0.1]) (amavisd-new, port 10026)
        with ESMTP id RmLleXVTwnLz; Fri, 18 May 2018 18:02:23 +0200 (CEST)
Received: from c-dev-0.admin.alphalink.fr (94-84-15-217.reverse.alphalink.fr [217.15.84.94])
        by mail-2-cbv2.admin.alphalink.fr (Postfix) with ESMTP id B622F2B52097;
        Fri, 18 May 2018 18:02:23 +0200 (CEST)
Received: by c-dev-0.admin.alphalink.fr (Postfix, from userid 1000)
        id 8BAD16025E; Fri, 18 May 2018 18:02:23 +0200 (CEST)
Date:   Fri, 18 May 2018 18:02:23 +0200
From:   Guillaume Nault <g.nault@alphalink.fr>
To:     Eric Biggers <ebiggers3@gmail.com>
Cc:     linux-ppp@vger.kernel.org, Paul Mackerras <paulus@samba.org>,
        netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
        syzkaller-bugs@googlegroups.com,
        syzbot <syzbot+16363c99d4134717c05b@syzkaller.appspotmail.com>,
        viro@zeniv.linux.org.uk
Subject: Re: KASAN: use-after-free Read in remove_wait_queue (2)
Message-ID: <20180518160223.GF1534@alphalink.fr>
References: <f403043d0f18f879cc056648a875@google.com>
 <20180514061155.GL677@sol.localdomain>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20180514061155.GL677@sol.localdomain>
User-Agent: Mutt/1.9.5 (2018-04-13)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Sun, May 13, 2018 at 11:11:55PM -0700, Eric Biggers wrote:
> [+ppp list and maintainer]
> 
> This is a bug in ppp_generic.c; it still happens on Linus' tree and it's easily
> reproducible, see program below.  The bug is that the PPPIOCDETACH ioctl doesn't
> consider that the file can still be attached to epoll instances even when
> ->f_count == 1.

Right. What would it take to remove the file for the epoll instances?
Sorry for the naive question, but I'm not familiar with VFS and didn't
find a helper function we could call.

> Also, the reproducer doesn't test this but I think ppp_poll(),
> ppp_read(), and ppp_write() can all race with PPPIOCDETACH, causing
> use-after-frees as well.

I also believe so. ppp_release() resets ->private_data, and even though
functions like ppp_read() test ->private_data before executing, there's
no synchronisation mechanism to ensure that the update is visible
before the unit or channel is destroyed. Is that the kind of race you
had in mind?

> Any chance that PPPIOCDETACH can simply be removed,
> given that it's apparently been "deprecated" for 16 years?
> Does anyone use it?

The only users I'm aware of are pppd versions older than ppp-2.4.2
(released in November 2003). But even at that time, there were issues
with PPPIOCDETACH as pppd didn't seem to react properly when this call
failed. An Internet search on the "PPPIOCDETACH file->f_count=" kernel
log string, or on the "Couldn't release PPP unit: Invalid argument"
error message of pppd, returns several related bug reports.

Originally, PPPIOCDETACH never failed, but testing ->f_count was
later introduced to fix crashes when the file descriptor had been
duplicated. It seems that this was motivated by polling issues too.

Long story short, it looks like PPPIOCDETACH never has worked well
and we have at least two more bugs to fix. Given how it has proven
fragile, I wouldn't be surprised if there were even more lurking
around. I'd say that it's probably safer to drop it than to add more
workarounds and playing wack-a-mole with those bugs.