From: Mariusz Kozlowski Date: Sun, 5 Jul 2009 19:48:35 +0000 (+0000) Subject: tun/tap: Fix crashes if open() /dev/net/tun and then poll() it. X-Git-Tag: MMI-PSA29.97-13-9~27020^2~202 X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=3c8a9c63d5fd738c261bd0ceece04d9c8357ca13;p=GitHub%2FMotorolaMobilityLLC%2Fkernel-slsi.git tun/tap: Fix crashes if open() /dev/net/tun and then poll() it. Fix NULL pointer dereference in tun_chr_pool() introduced by commit 33dccbb050bbe35b88ca8cf1228dcf3e4d4b3554 ("tun: Limit amount of queued packets per device") and triggered by this code: int fd; struct pollfd pfd; fd = open("/dev/net/tun", O_RDWR); pfd.fd = fd; pfd.events = POLLIN | POLLOUT; poll(&pfd, 1, 0); Reported-by: Eugene Kapun Signed-off-by: Mariusz Kozlowski Signed-off-by: David S. Miller --- diff --git a/drivers/net/tun.c b/drivers/net/tun.c index b393536012fb..027f7aba26af 100644 --- a/drivers/net/tun.c +++ b/drivers/net/tun.c @@ -486,12 +486,14 @@ static unsigned int tun_chr_poll(struct file *file, poll_table * wait) { struct tun_file *tfile = file->private_data; struct tun_struct *tun = __tun_get(tfile); - struct sock *sk = tun->sk; + struct sock *sk; unsigned int mask = 0; if (!tun) return POLLERR; + sk = tun->sk; + DBG(KERN_INFO "%s: tun_chr_poll\n", tun->dev->name); poll_wait(file, &tun->socket.wait, wait);