From patchwork Mon Jul  6 05:48:35 2009
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Mariusz Kozlowski <m.kozlowski@tuxland.pl>
X-Patchwork-Id: 29480
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@bilbo.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from ozlabs.org (ozlabs.org [203.10.76.45])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client CN "mx.ozlabs.org",
	Issuer "CA Cert Signing Authority" (verified OK))
	by bilbo.ozlabs.org (Postfix) with ESMTPS id 5E8FAB6F20
	for <patchwork-incoming@bilbo.ozlabs.org>;
	Mon,  6 Jul 2009 15:55:38 +1000 (EST)
Received: by ozlabs.org (Postfix)
	id 4DE1DDDD0C; Mon,  6 Jul 2009 15:55:38 +1000 (EST)
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.176.167])
	by ozlabs.org (Postfix) with ESMTP id CE034DDD01
	for <patchwork-incoming@ozlabs.org>;
	Mon,  6 Jul 2009 15:55:37 +1000 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752487AbZGFFzZ (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Mon, 6 Jul 2009 01:55:25 -0400
Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1752432AbZGFFzY
	(ORCPT <rfc822;netdev-outgoing>); Mon, 6 Jul 2009 01:55:24 -0400
Received: from orion.ambsoft.pl ([212.109.144.130]:47340 "EHLO
	orion.ambsoft.pl" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751528AbZGFFzX (ORCPT
	<rfc822;netdev@vger.kernel.org>); Mon, 6 Jul 2009 01:55:23 -0400
X-Greylist: delayed 409 seconds by postgrey-1.27 at vger.kernel.org;
	Mon, 06 Jul 2009 01:55:23 EDT
Received: from mako-desktop (dynamic-78-8-213-113.ssp.dialog.net.pl
	[78.8.213.113])
	by orion.ambsoft.pl (Postfix) with ESMTPSA id 00EDE3C62D8;
	Mon,  6 Jul 2009 07:48:36 +0200 (CEST)
Date: Mon, 6 Jul 2009 07:48:35 +0200
From: Mariusz Kozlowski <m.kozlowski@tuxland.pl>
To: Herbert Xu <herbert@gondor.apana.org.au>
Cc: "David S. Miller" <davem@davemloft.net>, netdev@vger.kernel.org,
	Eugene Kapun <abacabadabacaba@gmail.com>, maxk@qualcomm.com,
	linux-net@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: PROBLEM: tun/tap crashes if open() /dev/net/tun and then poll()
	it.
Message-ID: <20090706074835.3fe641f0@mako-desktop>
In-Reply-To: <20090706011230.GC15156@gondor.apana.org.au>
References: <4A4F1480.70203@gmail.com> <20090706001114.2d4517be@mako-desktop>
	<20090706011230.GC15156@gondor.apana.org.au>
X-Mailer: Claws Mail 3.6.1 (GTK+ 2.16.1; x86_64-pc-linux-gnu)
Mime-Version: 1.0
X-Virus-Scanned: ClamAV 0.94.2/9538/Fri Jul  3 16:27:11 2009 on localhost
X-Virus-Status: Clean
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

On Mon, 6 Jul 2009 09:12:30 +0800
Herbert Xu <herbert@gondor.apana.org.au> wrote:

> On Mon, Jul 06, 2009 at 12:11:14AM +0200, Mariusz Kozlowski wrote:
> >
> > 	Can you try this patch?
... 
> Good catch.  Can you please resend with a sign-off?

Sure. Just wanted to wait for confirmation from Eugene.

Fix NULL pointer dereference in tun_chr_pool() introduced by
commit 33dccbb050bbe35b88ca8cf1228dcf3e4d4b3554 and triggered
by this code:

	int fd;
	struct pollfd pfd;
	fd = open("/dev/net/tun", O_RDWR);
	pfd.fd = fd;
	pfd.events = POLLIN | POLLOUT;
	poll(&pfd, 1, 0);

Reported-by: Eugene Kapun <abacabadabacaba@gmail.com>
Signed-off-by: Mariusz Kozlowski <m.kozlowski@tuxland.pl>
---
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index a1b0697..bcbb25e 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -482,12 +482,14 @@ static unsigned int tun_chr_poll(struct file *file, poll_table * wait)
 {
 	struct tun_file *tfile = file->private_data;
 	struct tun_struct *tun = __tun_get(tfile);
-	struct sock *sk = tun->sk;
+	struct sock *sk;
 	unsigned int mask = 0;
 
 	if (!tun)
 		return POLLERR;
 
+	sk = tun->sk;
+
 	DBG(KERN_INFO "%s: tun_chr_poll\n", tun->dev->name);
 
 	poll_wait(file, &tfile->read_wait, wait);