In the Linux kernel, the following vulnerability has been resolved:
l2tp: close all race conditions in l2tptunnelregister()
The code in l2tptunnelregister() is racy in several ways:
It modifies the tunnel socket after publishing it.
It calls setupudptunnel_sock() on an existing socket without locking.
It changes sock lock class on fly, which triggers many syzbot reports.
This patch amends all of them by moving socket initialization code before publishing and under sock lock. As suggested by Jakub, the l2tp lockdep class is not necessary as we can just switch to bhlocksock_nested().