From: Hannes Frederic Sowa <han...@stressinduktion.org>
Date: Fri, 22 Jan 2016 01:39:43 +0100
> Several times already this has been reported as kasan reports caused by
> syzkaller and trinity and people always looked at RCU races, but it is
> much more simple. :)
>
> In case we bind a pptp socket multiple times, we simply add it to
> the callid_sock list but don't remove the old binding. Thus the old
> socket stays in the bucket with unused call_id indexes and doesn't get
> cleaned up. This causes various forms of kasan reports which were hard
> to pinpoint.
>
> Simply don't allow multiple binds and correct error handling in
> pptp_bind. Also keep sk_state bits in place in pptp_connect.
>
> Fixes: 00959ade36acad ("PPTP: PPP over IPv4 (Point-to-Point Tunneling
> Protocol)")
> Cc: Dmitry Kozlov <x...@mail.ru>
> Cc: Sasha Levin <sasha.le...@oracle.com>
> Cc: Dmitry Vyukov <dvyu...@google.com>
> Reported-by: Dmitry Vyukov <dvyu...@google.com>
> Cc: Dave Jones <da...@codemonkey.org.uk>
> Reported-by: Dave Jones <da...@codemonkey.org.uk>
> Signed-off-by: Hannes Frederic Sowa <han...@stressinduktion.org>
Applied and queued up for -stable, thanks Hannes.
