tls: fix NULL pointer dereference on poll

author Daniel Borkmann <daniel@iogearbox.net>

Mon, 11 Jun 2018 21:22:04 +0000 (23:22 +0200)

committer David S. Miller <davem@davemloft.net>

Mon, 11 Jun 2018 23:29:54 +0000 (16:29 -0700)
author Daniel Borkmann <daniel@iogearbox.net>
Mon, 11 Jun 2018 21:22:04 +0000 (23:22 +0200)
committer David S. Miller <davem@davemloft.net>
Mon, 11 Jun 2018 23:29:54 +0000 (16:29 -0700)
diff --git a/include/net/tls.h b/include/net/tls.h

index 70c273777fe9fe27b2ef1ba7c2c80970da8ea5c4..7f84ea3e217cf5e3f78698ee63bc9dced179caed 100644 (file)
--- a/include/net/tls.h
+++ b/include/net/tls.h
@@ -109,8 +109,7 @@ struct tls_sw_context_rx {
  
         struct strparser strp;
         void (*saved_data_ready)(struct sock *sk);
-       unsigned int (*sk_poll)(struct file *file, struct socket *sock,
-                               struct poll_table_struct *wait);
+       __poll_t (*sk_poll_mask)(struct socket *sock, __poll_t events);
         struct sk_buff *recv_pkt;
         u8 control;
         bool decrypted;
@@ -225,8 +224,7 @@ void tls_sw_free_resources_tx(struct sock *sk);
  void tls_sw_free_resources_rx(struct sock *sk);
  int tls_sw_recvmsg(struct sock *sk, struct msghdr *msg, size_t len,
                    int nonblock, int flags, int *addr_len);
-unsigned int tls_sw_poll(struct file *file, struct socket *sock,
-                        struct poll_table_struct *wait);
+__poll_t tls_sw_poll_mask(struct socket *sock, __poll_t events);
  ssize_t tls_sw_splice_read(struct socket *sock, loff_t *ppos,
                            struct pipe_inode_info *pipe,
                            size_t len, unsigned int flags);
diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c

index 301f224304698950544088c16518ea2e14ff41a6..a127d61e8af984d3aaefde49c94f48a9a9187d53 100644 (file)
--- a/net/tls/tls_main.c
+++ b/net/tls/tls_main.c
@@ -712,7 +712,7 @@ static int __init tls_register(void)
         build_protos(tls_prots[TLSV4], &tcp_prot);
  
         tls_sw_proto_ops = inet_stream_ops;
-       tls_sw_proto_ops.poll = tls_sw_poll;
+       tls_sw_proto_ops.poll_mask = tls_sw_poll_mask;
         tls_sw_proto_ops.splice_read = tls_sw_splice_read;
  
  #ifdef CONFIG_TLS_DEVICE
diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c

index 8ca57d01b18f6bfc55a06bcc0c21d6220c7a01d5..34895b7c132d66a41008bceed3cb0a2f9697edb3 100644 (file)
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -915,23 +915,22 @@ ssize_t tls_sw_splice_read(struct socket *sock,  loff_t *ppos,
         return copied ? : err;
  }
  
-unsigned int tls_sw_poll(struct file *file, struct socket *sock,
-                        struct poll_table_struct *wait)
+__poll_t tls_sw_poll_mask(struct socket *sock, __poll_t events)
  {
-       unsigned int ret;
         struct sock *sk = sock->sk;
         struct tls_context *tls_ctx = tls_get_ctx(sk);
         struct tls_sw_context_rx *ctx = tls_sw_ctx_rx(tls_ctx);
+       __poll_t mask;
  
-       /* Grab POLLOUT and POLLHUP from the underlying socket */
-       ret = ctx->sk_poll(file, sock, wait);
+       /* Grab EPOLLOUT and EPOLLHUP from the underlying socket */
+       mask = ctx->sk_poll_mask(sock, events);
  
-       /* Clear POLLIN bits, and set based on recv_pkt */
-       ret &= ~(POLLIN | POLLRDNORM);
+       /* Clear EPOLLIN bits, and set based on recv_pkt */
+       mask &= ~(EPOLLIN | EPOLLRDNORM);
         if (ctx->recv_pkt)
-               ret |= POLLIN | POLLRDNORM;
+               mask |= EPOLLIN | EPOLLRDNORM;
  
-       return ret;
+       return mask;
  }
  
  static int tls_read_size(struct strparser *strp, struct sk_buff *skb)
@@ -1188,7 +1187,7 @@ int tls_set_sw_offload(struct sock *sk, struct tls_context *ctx, int tx)
                 sk->sk_data_ready = tls_data_ready;
                 write_unlock_bh(&sk->sk_callback_lock);
  
-               sw_ctx_rx->sk_poll = sk->sk_socket->ops->poll;
+               sw_ctx_rx->sk_poll_mask = sk->sk_socket->ops->poll_mask;
  
                 strp_check_rcv(&sw_ctx_rx->strp);
         }
author	Daniel Borkmann <daniel@iogearbox.net>
	Mon, 11 Jun 2018 21:22:04 +0000 (23:22 +0200)
committer	David S. Miller <davem@davemloft.net>
	Mon, 11 Jun 2018 23:29:54 +0000 (16:29 -0700)
include/net/tls.h		patch \| blob \| history
net/tls/tls_main.c		patch \| blob \| history
net/tls/tls_sw.c		patch \| blob \| history