From: Hannes Frederic Sowa <[email protected]>
Date: Fri, 22 Jan 2016 01:39:43 +0100
> Several times already this has been reported as kasan reports caused by
> syzkaller and trinity and people always looked at RCU races, but it is
> much more simple. :)
>
> In case we bind a pptp socket multiple times, we simply add it to
> the callid_sock list but don't remove the old binding. Thus the old
> socket stays in the bucket with unused call_id indexes and doesn't get
> cleaned up. This causes various forms of kasan reports which were hard
> to pinpoint.
>
> Simply don't allow multiple binds and correct error handling in
> pptp_bind. Also keep sk_state bits in place in pptp_connect.
>
> Fixes: 00959ade36acad ("PPTP: PPP over IPv4 (Point-to-Point Tunneling
> Protocol)")
> Cc: Dmitry Kozlov <[email protected]>
> Cc: Sasha Levin <[email protected]>
> Cc: Dmitry Vyukov <[email protected]>
> Reported-by: Dmitry Vyukov <[email protected]>
> Cc: Dave Jones <[email protected]>
> Reported-by: Dave Jones <[email protected]>
> Signed-off-by: Hannes Frederic Sowa <[email protected]>
Applied and queued up for -stable, thanks Hannes.
