linux/Documentation
Eric Biggers af8d3c7c00 ppp: remove the PPPIOCDETACH ioctl
The PPPIOCDETACH ioctl effectively tries to "close" the given ppp file
before f_count has reached 0, which is fundamentally a bad idea.  It
does check 'f_count < 2', which excludes concurrent operations on the
file since they would only be possible with a shared fd table, in which
case each fdget() would take a file reference.  However, it fails to
account for the fact that even with 'f_count == 1' the file can still be
linked into epoll instances.  As reported by syzbot, this can trivially
be used to cause a use-after-free.

Yet, the only known user of PPPIOCDETACH is pppd versions older than
ppp-2.4.2, which was released almost 15 years ago (November 2003).
Also, PPPIOCDETACH apparently stopped working reliably at around the
same time, when the f_count check was added to the kernel, e.g. see
https://lkml.org/lkml/2002/12/31/83.  Also, the current 'f_count < 2'
check makes PPPIOCDETACH only work in single-threaded applications; it
always fails if called from a multithreaded application.

All pppd versions released in the last 15 years just close() the file
descriptor instead.

Therefore, instead of hacking around this bug by exporting epoll
internals to modules, and probably missing other related bugs, just
remove the PPPIOCDETACH ioctl and see if anyone actually notices.  Leave
a stub in place that prints a one-time warning and returns EINVAL.

Reported-by: syzbot+16363c99d4134717c05b@syzkaller.appspotmail.com
Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Acked-by: Paul Mackerras <paulus@ozlabs.org>
Reviewed-by: Guillaume Nault <g.nault@alphalink.fr>
Tested-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-05-24 22:55:07 -04:00
..
ABI cxl: Report the tunneled operations status 2018-05-15 21:30:01 +10:00
accelerators ocxl: Document the OCXL_IOCTL_GET_METADATA IOCTL 2018-03-02 13:02:15 +11:00
accounting
acpi
admin-guide PM: docs: intel_pstate: fix Active Mode w/o HWP paragraph 2018-05-09 12:16:44 +02:00
aoe
arm MTD changes: 2018-04-06 12:15:41 -07:00
arm64 ARM: 2018-04-09 11:42:31 -07:00
auxdisplay
backlight
block
blockdev
bpf bpf: Document sockmap '-target bpf' requirement for PROG_TYPE_SK_MSG 2018-04-23 23:42:21 +02:00
bus-devices
cdrom Documentation/cdrom: fix German sharp s in LaTex 2018-03-08 19:35:29 -07:00
cgroup-v1 page cache: use xa_lock 2018-04-11 10:28:39 -07:00
cma
connector
console
core-api textsearch: fix kernel-doc warnings and add kernel-api section 2018-04-16 18:53:13 -04:00
cpu-freq cpufreq: Drop cpufreq_table_validate_and_show() 2018-04-10 08:40:45 +02:00
cpuidle cpuidle: Add definition of residency to sysfs documentation 2018-04-09 13:44:37 +02:00
crypto crypto: doc - clarify hash callbacks state machine 2018-03-31 01:33:02 +08:00
dev-tools There's been a fair amount of activity in Documentation/ this time around: 2018-04-03 13:35:51 -07:00
device-mapper dm thin: update Documentation to clarify when "read_only" is valid 2018-05-10 11:18:49 -04:00
devicetree Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-05-21 08:37:48 -07:00
doc-guide MAINTAINERS & files: Canonize the e-mails I use at files 2018-05-04 06:21:06 -04:00
driver-api Driver core fixes for 4.17-rc3 2018-04-27 10:12:20 -07:00
driver-model
early-userspace
EDID
extcon
fault-injection Documentation: nvme: Documentation for nvme fault injection 2018-03-26 08:53:43 -06:00
fb
features arch: remove obsolete architecture ports 2018-04-02 20:20:12 -07:00
filesystems Merge branch 'overlayfs-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs 2018-04-13 16:55:41 -07:00
firmware_class
fmc
fpga
gpio Documentation: gpio: Move drivers-on-gpio.txt to driver-api 2018-03-23 04:22:29 +01:00
gpu Linux 4.16-rc7 2018-03-28 14:30:41 +10:00
hid
hwmon hwmon: (lm92) Add max6635 to lm92_id[] 2018-03-22 09:33:24 -07:00
i2c Documentation/i2c: adopt kernel commenting style in examples 2018-04-18 10:09:44 +02:00
ia64 ia64: doc: tweak whitespace for 'console=' parameter 2018-03-05 14:41:38 -08:00
ide
iio
infiniband Documentation/ABI: update infiniband sysfs interfaces 2018-02-23 08:18:33 -07:00
input Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2018-04-05 13:21:57 -07:00
ioctl staging: irda: remove remaining remants of irda code removal 2018-04-16 11:26:49 +02:00
isdn Documentation/isdn: check and fix dead links ... 2018-03-26 12:31:13 -04:00
kbuild Kconfig updates for v4.17 2018-04-03 16:28:01 -07:00
kdump
kernel-hacking Documentation: Fix misconversion of #if 2018-01-17 16:45:01 -07:00
laptops
leds
lightnvm
livepatch livepatch: Allow to call a custom callback when freeing shadow variables 2018-04-17 13:42:48 +02:00
locking Linux 4.16-rc2 2018-02-21 09:57:55 +01:00
m68k
maintainer
md raid5-ppl: PPL support for disks with write-back cache enabled 2018-01-15 14:29:42 -08:00
media MAINTAINERS & files: Canonize the e-mails I use at files 2018-05-04 06:21:06 -04:00
memory-devices
mic
mips Documentation: mips: Update AU1xxx_IDE Kconfig dependencies 2018-02-01 12:45:35 -07:00
misc-devices
mmc
mtd
namespaces
netlabel
networking ppp: remove the PPPIOCDETACH ioctl 2018-05-24 22:55:07 -04:00
nfc
nios2
nvdimm
nvmem
openrisc
parisc
PCI PCI: Update location of pci.ids file 2018-02-22 15:00:43 -06:00
pcmcia
perf drivers/bus: Move Arm CCN PMU driver 2018-03-06 17:26:15 +01:00
phy
platform
power firmware: Fix firmware documentation for recent file renames 2018-04-23 13:03:26 +02:00
powerpc
pps
process staging: irda: remove remaining remants of irda code removal 2018-04-16 11:26:49 +02:00
pti
ptp ptp: Fix documentation to match code. 2018-03-26 12:13:21 -04:00
rapidio Documentation: rapidio: move sysfs interface to ABI 2018-02-23 08:25:45 -07:00
RCU
s390 vfio-ccw: update documentation 2018-03-01 17:32:14 +01:00
scheduler
scsi scsi: documentation: Obsolete documentation references 2018-03-21 18:34:20 -04:00
security selinux: Update SELinux SCTP documentation 2018-03-20 16:26:15 -04:00
serial
sh
sound
sparc sparc64: Add support for ADI (Application Data Integrity) 2018-03-18 07:38:48 -07:00
sphinx MAINTAINERS & files: Canonize the e-mails I use at files 2018-05-04 06:21:06 -04:00
sphinx-static
spi
sysctl taint: add taint for randstruct 2018-04-11 10:28:35 -07:00
target
thermal thermal: Add cooling device's statistics in sysfs 2018-04-02 21:49:01 +08:00
timers sched/isolation: Eliminate NO_HZ_FULL_ALL 2018-02-15 15:40:37 -08:00
trace Revert: Unify CLOCK_MONOTONIC and CLOCK_BOOTTIME 2018-04-26 14:53:32 +02:00
translations MAINTAINERS & files: Canonize the e-mails I use at files 2018-05-04 06:21:06 -04:00
usb Documentation updates for 4.16. New stuff includes refcount_t 2018-01-31 19:25:25 -08:00
userspace-api
virtual kvm: rename KVM_HINTS_DEDICATED to KVM_HINTS_REALTIME 2018-05-17 19:12:13 +02:00
vm page cache: use xa_lock 2018-04-11 10:28:39 -07:00
w1 Documentation updates for 4.16. New stuff includes refcount_t 2018-01-31 19:25:25 -08:00
watchdog watchdog: remove bfin_wdt driver 2018-03-26 15:57:04 +02:00
wimax
x86 Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2018-04-15 16:12:35 -07:00
xtensa
.gitignore
00-INDEX CRIS: Drop support for the CRIS port 2018-03-16 10:56:05 +01:00
atomic_bitops.txt locking/atomic/bitops: Document and clarify ordering semantics for failed test_and_{}_bit() 2018-02-13 14:55:53 +01:00
atomic_t.txt
bcache.txt
bt8xxgpio.txt
btmrvl.txt
bus-virt-phys-mapping.txt
cachetlb.txt
cgroup-v2.txt cgroup, docs: document the root cgroup behavior of cpu and io controllers 2018-01-16 08:07:09 -08:00
Changes
circular-buffers.txt
clearing-warn-once.txt
clk.txt Documentation: clk: enable lock is not held for clk_is_enabled API 2018-03-16 15:44:43 -07:00
CodingStyle
conf.py
cpu-load.txt
cputopology.txt
crc32.txt
dcdbas.txt
debugging-modules.txt
debugging-via-ohci1394.txt
dell_rbu.txt
digsig.txt
DMA-API-HOWTO.txt
DMA-API.txt
DMA-attributes.txt
DMA-ISA-LPC.txt
docutils.conf
dontdiff
efi-stub.txt
eisa.txt
flexible-arrays.txt
futex-requeue-pi.txt
gcc-plugins.txt
highuid.txt
hw_random.txt
hwspinlock.txt
index.rst Documentation: add Linux tracing to Sphinx TOC tree 2018-03-07 10:22:53 -07:00
intel_txt.txt
Intel-IOMMU.txt
io_ordering.txt
io-mapping.txt
iostats.txt
IPMI.txt
IRQ-affinity.txt
IRQ-domain.txt irqdomain: Kill CONFIG_IRQ_DOMAIN_DEBUG 2018-01-24 12:32:58 +01:00
IRQ.txt
irqflags-tracing.txt
isa.txt
isapnp.txt
kernel-per-CPU-kthreads.txt
kobject.txt
kprobes.txt
kref.txt
ldm.txt
lockup-watchdogs.txt
logo.gif
logo.txt
lsm.txt
lzo.txt
mailbox.txt
Makefile
memory-barriers.txt locking/memory-barriers: De-emphasize smp_read_barrier_depends() some more 2018-03-10 10:22:22 +01:00
memory-hotplug.txt
men-chameleon-bus.txt
nommu-mmap.txt
ntb.txt
numastat.txt
padata.txt
parport-lowlevel.txt
percpu-rw-semaphore.txt
phy.txt
pi-futex.txt
pnp.txt
preempt-locking.txt
pwm.txt
rbtree.txt
remoteproc.txt
rfkill.txt
robust-futex-ABI.txt
robust-futexes.txt
rpmsg.txt
rtc.txt Documentation: rtc: move iotcl interface documentation to ABI 2018-01-12 00:20:41 +01:00
SAK.txt
sgi-ioc4.txt
siphash.txt
SM501.txt
smsc_ece1099.txt
speculation.txt Documentation: Document array_index_nospec 2018-01-30 21:54:28 +01:00
static-keys.txt
SubmittingPatches
svga.txt
switchtec.txt
sync_file.txt
tee.txt
this_cpu_ops.txt
unaligned-memory-access.txt
vfio-mediated-device.txt
vfio.txt
video-output.txt
xillybus.txt
xz.txt
zorro.txt