3.2.97-rc1 review patch. If anyone has any objections, please let me know.
------------------ From: Guillaume Nault <[email protected]> commit a3c18422a4b4e108bcf6a2328f48867e1003fd95 upstream. Socket must be held while under the protection of the l2tp lock; there is no guarantee that sk remains valid after the read_unlock_bh() call. Same issue for l2tp_ip and l2tp_ip6. Signed-off-by: Guillaume Nault <[email protected]> Signed-off-by: David S. Miller <[email protected]> [bwh: Backported to 3.2: - Drop changes in l2tp_ip6.c - Adjust context] Signed-off-by: Ben Hutchings <[email protected]> --- --- a/net/l2tp/l2tp_ip.c +++ b/net/l2tp/l2tp_ip.c @@ -197,14 +197,15 @@ pass_up: read_lock_bh(&l2tp_ip_lock); sk = __l2tp_ip_bind_lookup(&init_net, iph->daddr, 0, tunnel_id); + if (!sk) { + read_unlock_bh(&l2tp_ip_lock); + goto discard; + } + + sock_hold(sk); read_unlock_bh(&l2tp_ip_lock); } - if (sk == NULL) - goto discard; - - sock_hold(sk); - if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb)) goto discard_put;
