L2TP tunnel creation is racy. We need to make sure that the tunnel returned by l2tp_tunnel_create() isn't going to be freed while the caller is using it. This is done in patch #1, by separating tunnel creation from tunnel registration.
With the tunnel registration code in place, we can now check for duplicate tunnels in a race-free way. This is done in patch #2, which incidentally removes the last use of l2tp_tunnel_find(). Guillaume Nault (2): l2tp: fix races in tunnel creation l2tp: fix race in duplicate tunnel detection net/l2tp/l2tp_core.c | 225 +++++++++++++++++----------------------- net/l2tp/l2tp_core.h | 4 +- net/l2tp/l2tp_netlink.c | 22 ++-- net/l2tp/l2tp_ppp.c | 9 ++ 4 files changed, 123 insertions(+), 137 deletions(-) -- 2.17.0
