tun/tap: Fix crashes if open() /dev/net/tun and then poll() it.
Fix NULL pointer dereference in tun_chr_pool() introduced by commit
33dccbb050
("tun: Limit amount of queued
packets per device") and triggered by this code:
int fd;
struct pollfd pfd;
fd = open("/dev/net/tun", O_RDWR);
pfd.fd = fd;
pfd.events = POLLIN | POLLOUT;
poll(&pfd, 1, 0);
Reported-by: Eugene Kapun <abacabadabacaba@gmail.com>
Signed-off-by: Mariusz Kozlowski <m.kozlowski@tuxland.pl>
Signed-off-by: David S. Miller <davem@davemloft.net>
hifive-unleashed-5.1
parent
1ded3f59f3
commit
3c8a9c63d5
|
@ -486,12 +486,14 @@ static unsigned int tun_chr_poll(struct file *file, poll_table * wait)
|
||||||
{
|
{
|
||||||
struct tun_file *tfile = file->private_data;
|
struct tun_file *tfile = file->private_data;
|
||||||
struct tun_struct *tun = __tun_get(tfile);
|
struct tun_struct *tun = __tun_get(tfile);
|
||||||
struct sock *sk = tun->sk;
|
struct sock *sk;
|
||||||
unsigned int mask = 0;
|
unsigned int mask = 0;
|
||||||
|
|
||||||
if (!tun)
|
if (!tun)
|
||||||
return POLLERR;
|
return POLLERR;
|
||||||
|
|
||||||
|
sk = tun->sk;
|
||||||
|
|
||||||
DBG(KERN_INFO "%s: tun_chr_poll\n", tun->dev->name);
|
DBG(KERN_INFO "%s: tun_chr_poll\n", tun->dev->name);
|
||||||
|
|
||||||
poll_wait(file, &tun->socket.wait, wait);
|
poll_wait(file, &tun->socket.wait, wait);
|
||||||
|
|
Loading…
Reference in New Issue