Re: [PATCH net v2] ppp: defer channel free to an RCU grace period to fix pppol2tp RX UAF
From: Breno Leitao <leitao@debian.org>
Date: 2026-07-03 16:32:31
Also in:
lkml
From: Breno Leitao <leitao@debian.org>
Date: 2026-07-03 16:32:31
Also in:
lkml
On Fri, Jul 03, 2026 at 03:27:00PM +0800, Qingfang Deng wrote:
Hi, On 2026/7/2 2:12, Norbert Szetei wrote:quoted
+/* Purge after the grace period: a late ppp_input() may still queue an + * skb on pch->file.rq before the last RCU reader drains. + */ +static void ppp_release_channel_free(struct rcu_head *rcu) +{ + struct channel *pch = container_of(rcu, struct channel, rcu); + + skb_queue_purge(&pch->file.xq); + skb_queue_purge(&pch->file.rq); + kfree(pch); +} + /* * Drop a reference to a ppp channel and free its memory if the refcount reaches * zero.@@ -3581,9 +3594,7 @@ static void ppp_release_channel(struct channel *pch) pr_err("ppp: destroying undead channel %p !\n", pch); return; } - skb_queue_purge(&pch->file.xq); - skb_queue_purge(&pch->file.rq); - kfree(pch); + call_rcu(&pch->rcu, ppp_release_channel_free); } static void __exit ppp_cleanup(void)AI-review found an issue: https://sashiko.dev/#/patchset/D9C0245B-608B-4884-8A09-F55BA4A9F948%40doyensec.com An rcu_barrier() call is needed at the end of ppp_cleanup().
I was initially unclear why rcu_barrier() would be necessary on a kfree path, but it appears to be required during module unload to ensure that ppp_release_channel_free() completes before the module's struct rcu_head is destroyed. Is that the correct understanding?