l2tp: hold socket before dropping lock in l2tp_ip{, 6}_recv()

Socket must be held while under the protection of the l2tp lock; there
is no guarantee that sk remains valid after the read_unlock_bh() call.

Same issue for l2tp_ip and l2tp_ip6.

Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>

2 files changed, 12 insertions, 10 deletions

diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c
index 1f57094d3111..4d1c942cc91b 100644
--- a/net/l2tp/l2tp_ip.c
+++ b/net/l2tp/l2tp_ip.c
@@ -183,14 +183,15 @@ pass_up:
 
                 read_lock_bh(&l2tp_ip_lock);
                 sk = __l2tp_ip_bind_lookup(net, iph->daddr, 0, tunnel_id);
+                if (!sk) {
+                        read_unlock_bh(&l2tp_ip_lock);
+                        goto discard;
+                }
+
+                sock_hold(sk);
                 read_unlock_bh(&l2tp_ip_lock);
         }
 
-        if (sk == NULL)
-                goto discard;
-
-        sock_hold(sk);
-
         if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb))
                 goto discard_put;
 
diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c
index af9abfff637c..e3fc7786f188 100644
--- a/net/l2tp/l2tp_ip6.c
+++ b/net/l2tp/l2tp_ip6.c
@@ -198,14 +198,15 @@ pass_up:
                 read_lock_bh(&l2tp_ip6_lock);
                 sk = __l2tp_ip6_bind_lookup(net, &iph->daddr,
                                             0, tunnel_id);
+                if (!sk) {
+                        read_unlock_bh(&l2tp_ip6_lock);
+                        goto discard;
+                }
+
+                sock_hold(sk);
                 read_unlock_bh(&l2tp_ip6_lock);
         }
 
-        if (sk == NULL)
-                goto discard;
-
-        sock_hold(sk);
-
         if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb))
                 goto discard_put;