On Wed, Nov 16, 2016 at 11:08:23AM -0800, Cong Wang wrote: > On Wed, Nov 16, 2016 at 8:30 AM, Guillaume Nault <g.na...@alphalink.fr> wrote: > > diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c > > index fce25af..982f6c4 100644 > > --- a/net/l2tp/l2tp_ip.c > > +++ b/net/l2tp/l2tp_ip.c > > @@ -251,8 +251,6 @@ static int l2tp_ip_bind(struct sock *sk, struct > > sockaddr *uaddr, int addr_len) > > int ret; > > int chk_addr_ret; > > > > - if (!sock_flag(sk, SOCK_ZAPPED)) > > - return -EINVAL; > > if (addr_len < sizeof(struct sockaddr_l2tpip)) > > return -EINVAL; > > if (addr->l2tp_family != AF_INET) > > @@ -267,6 +265,9 @@ static int l2tp_ip_bind(struct sock *sk, struct > > sockaddr *uaddr, int addr_len) > > read_unlock_bh(&l2tp_ip_lock); > > > > lock_sock(sk); > > + if (!sock_flag(sk, SOCK_ZAPPED)) > > + goto out; > > + > > if (sk->sk_state != TCP_CLOSE || addr_len < sizeof(struct > > sockaddr_l2tpip)) > > goto out; > > > > diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c > > index ad3468c..9978d01 100644 > > --- a/net/l2tp/l2tp_ip6.c > > +++ b/net/l2tp/l2tp_ip6.c > > @@ -269,8 +269,6 @@ static int l2tp_ip6_bind(struct sock *sk, struct > > sockaddr *uaddr, int addr_len) > > int addr_type; > > int err; > > > > - if (!sock_flag(sk, SOCK_ZAPPED)) > > - return -EINVAL; > > if (addr->l2tp_family != AF_INET6) > > return -EINVAL; > > if (addr_len < sizeof(*addr)) > > @@ -296,6 +294,9 @@ static int l2tp_ip6_bind(struct sock *sk, struct > > sockaddr *uaddr, int addr_len) > > lock_sock(sk); > > > > err = -EINVAL; > > + if (!sock_flag(sk, SOCK_ZAPPED)) > > + goto out_unlock; > > + > > if (sk->sk_state != TCP_CLOSE) > > goto out_unlock; > > > Makes sense, it should prevent a concurrent caller adding the socket > into bind table > twice after passing __l2tp_ip_bind_lookup() check.
Yes, and the __l2tp_ip_bind_lookup() call is also racy. But, by properly checking the SOCK_ZAPPED flag, we probably can remove this call entirely. For now, I only wanted to make sure the issue was well identified. I'll submit a more complete patch for net (with protected SOCK_ZAPPED check in l2tp_ip_connect() too).
