diff options
| author | Eric Dumazet <edumazet@google.com> | 2023-01-17 11:01:31 +0000 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2023-01-18 14:44:54 +0000 |
| commit | b9fb10d131b8c84af9bb14e2078d5c63600c7dea (patch) | |
| tree | dec2bca723eb44ac91387d8870c22679a59ad06a /net/l2tp | |
| parent | d71ebe8114b4bf622804b810f5e274069060a174 (diff) | |
l2tp: prevent lockdep issue in l2tp_tunnel_register()
lockdep complains with the following lock/unlock sequence:
lock_sock(sk);
write_lock_bh(&sk->sk_callback_lock);
[1] release_sock(sk);
[2] write_unlock_bh(&sk->sk_callback_lock);
We need to swap [1] and [2] to fix this issue.
Fixes: 0b2c59720e65 ("l2tp: close all race conditions in l2tp_tunnel_register()")
Reported-by: syzbot+bbd35b345c7cab0d9a08@syzkaller.appspotmail.com
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://lore.kernel.org/netdev/20230114030137.672706-1-xiyou.wangcong@gmail.com/T/#m1164ff20628671b0f326a24cb106ab3239c70ce3
Cc: Cong Wang <cong.wang@bytedance.com>
Cc: Guillaume Nault <gnault@redhat.com>
Reviewed-by: Guillaume Nault <gnault@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/l2tp')
| -rw-r--r-- | net/l2tp/l2tp_core.c | 5 |
1 files changed, 2 insertions, 3 deletions
diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c index b6554e32bb12..03608d3ded4b 100644 --- a/net/l2tp/l2tp_core.c +++ b/net/l2tp/l2tp_core.c @@ -1483,10 +1483,8 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net, lock_sock(sk); write_lock_bh(&sk->sk_callback_lock); ret = l2tp_validate_socket(sk, net, tunnel->encap); - if (ret < 0) { - release_sock(sk); + if (ret < 0) goto err_inval_sock; - } rcu_assign_sk_user_data(sk, tunnel); write_unlock_bh(&sk->sk_callback_lock); @@ -1523,6 +1521,7 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net, err_inval_sock: write_unlock_bh(&sk->sk_callback_lock); + release_sock(sk); if (tunnel->fd < 0) sock_release(sock); |