l2tp: Fix inet_opt conversion.

We don't actually hold the socket lock at this point, so the
rcu_dereference_protected() isn't' correct.  Thanks to Eric
Dumazet for pointing this out.

Thankfully, we're only interested in fetching the faddr value
if srr is enabled, so we can simply make this an RCU sequence
and use plain rcu_dereference().

Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

1 files changed, 4 insertions, 2 deletions

diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c
index 962a607b51da..e13c166824e0 100644
--- a/net/l2tp/l2tp_ip.c
+++ b/net/l2tp/l2tp_ip.c
@@ -472,13 +472,15 @@ static int l2tp_ip_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *m
         if (rt == NULL) {
                 struct ip_options_rcu *inet_opt;
 
-                inet_opt = rcu_dereference_protected(inet->inet_opt,
-                                                     sock_owned_by_user(sk));
+                rcu_read_lock();
+                inet_opt = rcu_dereference(inet->inet_opt);
 
                 /* Use correct destination address if we have options. */
                 if (inet_opt && inet_opt->opt.srr)
                         daddr = inet_opt->opt.faddr;
 
+                rcu_read_unlock();
+
                 /* If this fails, retransmit mechanism of transport layer will
                  * keep trying until route appears or the connection times
                  * itself out.