* Re: PROBLEM: tun/tap crashes if open() /dev/net/tun and then poll() it. [not found] ` <20090706001114.2d4517be@mako-desktop> @ 2009-07-06 1:12 ` Herbert Xu 2009-07-06 5:48 ` Mariusz Kozlowski 0 siblings, 1 reply; 3+ messages in thread From: Herbert Xu @ 2009-07-06 1:12 UTC (permalink / raw) To: Mariusz Kozlowski, David S. Miller, netdev Cc: Eugene Kapun, maxk, linux-net, linux-kernel On Mon, Jul 06, 2009 at 12:11:14AM +0200, Mariusz Kozlowski wrote: > > Can you try this patch? > > diff --git a/drivers/net/tun.c b/drivers/net/tun.c > index 11a0ba4..c599327 100644 > --- a/drivers/net/tun.c > +++ b/drivers/net/tun.c > @@ -486,12 +486,14 @@ static unsigned int tun_chr_poll(struct file *file, poll_table * wait) > { > struct tun_file *tfile = file->private_data; > struct tun_struct *tun = __tun_get(tfile); > - struct sock *sk = tun->sk; > + struct sock *sk; > unsigned int mask = 0; > > if (!tun) > return POLLERR; > > + sk = tun->sk; > + > DBG(KERN_INFO "%s: tun_chr_poll\n", tun->dev->name); > > poll_wait(file, &tun->socket.wait, wait); Good catch. Can you please resend with a sign-off? Thanks, -- Visit Openswan at http://www.openswan.org/ Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: PROBLEM: tun/tap crashes if open() /dev/net/tun and then poll() it. 2009-07-06 1:12 ` PROBLEM: tun/tap crashes if open() /dev/net/tun and then poll() it Herbert Xu @ 2009-07-06 5:48 ` Mariusz Kozlowski 2009-07-06 20:08 ` David Miller 0 siblings, 1 reply; 3+ messages in thread From: Mariusz Kozlowski @ 2009-07-06 5:48 UTC (permalink / raw) To: Herbert Xu Cc: David S. Miller, netdev, Eugene Kapun, maxk, linux-net, linux-kernel On Mon, 6 Jul 2009 09:12:30 +0800 Herbert Xu <herbert@gondor.apana.org.au> wrote: > On Mon, Jul 06, 2009 at 12:11:14AM +0200, Mariusz Kozlowski wrote: > > > > Can you try this patch? ... > Good catch. Can you please resend with a sign-off? Sure. Just wanted to wait for confirmation from Eugene. Fix NULL pointer dereference in tun_chr_pool() introduced by commit 33dccbb050bbe35b88ca8cf1228dcf3e4d4b3554 and triggered by this code: int fd; struct pollfd pfd; fd = open("/dev/net/tun", O_RDWR); pfd.fd = fd; pfd.events = POLLIN | POLLOUT; poll(&pfd, 1, 0); Reported-by: Eugene Kapun <abacabadabacaba@gmail.com> Signed-off-by: Mariusz Kozlowski <m.kozlowski@tuxland.pl> diff --git a/drivers/net/tun.c b/drivers/net/tun.c index a1b0697..bcbb25e 100644 --- a/drivers/net/tun.c +++ b/drivers/net/tun.c @@ -482,12 +482,14 @@ static unsigned int tun_chr_poll(struct file *file, poll_table * wait) { struct tun_file *tfile = file->private_data; struct tun_struct *tun = __tun_get(tfile); - struct sock *sk = tun->sk; + struct sock *sk; unsigned int mask = 0; if (!tun) return POLLERR; + sk = tun->sk; + DBG(KERN_INFO "%s: tun_chr_poll\n", tun->dev->name); poll_wait(file, &tfile->read_wait, wait); ^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: PROBLEM: tun/tap crashes if open() /dev/net/tun and then poll() it. 2009-07-06 5:48 ` Mariusz Kozlowski @ 2009-07-06 20:08 ` David Miller 0 siblings, 0 replies; 3+ messages in thread From: David Miller @ 2009-07-06 20:08 UTC (permalink / raw) To: m.kozlowski Cc: herbert, netdev, abacabadabacaba, maxk, linux-net, linux-kernel From: Mariusz Kozlowski <m.kozlowski@tuxland.pl> Date: Mon, 6 Jul 2009 07:48:35 +0200 > Fix NULL pointer dereference in tun_chr_pool() introduced by > commit 33dccbb050bbe35b88ca8cf1228dcf3e4d4b3554 and triggered > by this code: > > int fd; > struct pollfd pfd; > fd = open("/dev/net/tun", O_RDWR); > pfd.fd = fd; > pfd.events = POLLIN | POLLOUT; > poll(&pfd, 1, 0); > > Reported-by: Eugene Kapun <abacabadabacaba@gmail.com> > Signed-off-by: Mariusz Kozlowski <m.kozlowski@tuxland.pl> Applied, thanks! ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2009-07-06 20:08 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <4A4F1480.70203@gmail.com>
[not found] ` <20090706001114.2d4517be@mako-desktop>
2009-07-06 1:12 ` PROBLEM: tun/tap crashes if open() /dev/net/tun and then poll() it Herbert Xu
2009-07-06 5:48 ` Mariusz Kozlowski
2009-07-06 20:08 ` David Miller
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox