From: Guillaume Nault <g.na...@alphalink.fr>
Date: Fri, 18 Nov 2016 22:13:00 +0100
> Lock socket before checking the SOCK_ZAPPED flag in l2tp_ip6_bind().
> Without lock, a concurrent call could modify the socket flags between
> the sock_flag(sk, SOCK_ZAPPED) test and the lock_sock() call. This way,
> a socket could be inserted twice in l2tp_ip6_bind_table. Releasing it
> would then leave a stale pointer there, generating use-after-free
> errors when walking through the list or modifying adjacent entries.
...
> The same issue exists with l2tp_ip_bind() and l2tp_ip_bind_table.
>
> Fixes: c51ce49735c1 ("l2tp: fix oops in L2TP IP sockets for connect()
> AF_UNSPEC case")
> Reported-by: Baozeng Ding <splovi...@gmail.com>
> Reported-by: Andrey Konovalov <andreyk...@google.com>
> Tested-by: Baozeng Ding <splovi...@gmail.com>
> Signed-off-by: Guillaume Nault <g.na...@alphalink.fr>
Applied and queued up for -stable, thanks.
