hollalinux
/
linux-sg2042
mirror of https://github.com/sophgo/linux-riscv.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

tun: Fix races in tun_set_iff 

It is possible for two different tasks with access to the same file
descriptor to call tun_set_iff on it at the same time and race to
attach to a tap device.  Prevent this by placing all of the logic to
attach to a file descriptor in one function and testing the file
descriptor to be certain it is not already attached to another tun
device.

Signed-off-by: Eric W. Biederman <ebiederm@aristanetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Eric W. Biederman 2009-01-20 10:57:48 +00:00 committed by David S. Miller
parent 74a3e5a71c
commit a7385ba211
1 changed files with 32 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
drivers/net/tun.c
View File

@ -106,6 +106,31 @@ struct tun_struct {
#endif #endif
}; };
static int tun_attach(struct tun_struct *tun, struct file *file)
{
const struct cred *cred = current_cred();
ASSERT_RTNL();
if (file->private_data)
return -EINVAL;
if (tun->attached)
return -EBUSY;
/* Check permissions */
if (((tun->owner != -1 && cred->euid != tun->owner) ||
(tun->group != -1 && cred->egid != tun->group)) &&
!capable(CAP_NET_ADMIN))
return -EPERM;
file->private_data = tun;
tun->attached = 1;
get_net(dev_net(tun->dev));
return 0;
}
/* TAP filterting */ /* TAP filterting */
static void addr_hash_set(u32 *mask, const u8 *addr) static void addr_hash_set(u32 *mask, const u8 *addr)
{ {
@ -695,7 +720,6 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
{ {
struct tun_struct *tun; struct tun_struct *tun;
struct net_device *dev; struct net_device *dev;
const struct cred *cred = current_cred();
int err; int err;
dev = __dev_get_by_name(net, ifr->ifr_name); dev = __dev_get_by_name(net, ifr->ifr_name);
@ -707,17 +731,9 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
else else
return -EINVAL; return -EINVAL;
if (tun->attached) err = tun_attach(tun, file);
return -EBUSY; if (err < 0)
return err;
/* Check permissions */
if (((tun->owner != -1 &&
cred->euid != tun->owner) ||
(tun->group != -1 &&
cred->egid != tun->group)) &&
!capable(CAP_NET_ADMIN)) {
return -EPERM;
}
} }
else { else {
char *name; char *name;
@ -766,6 +782,10 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
err = register_netdevice(tun->dev); err = register_netdevice(tun->dev);
if (err < 0) if (err < 0)
goto err_free_dev; goto err_free_dev;
err = tun_attach(tun, file);
if (err < 0)
goto err_free_dev;
} }
DBG(KERN_INFO "%s: tun_set_iff\n", tun->dev->name); DBG(KERN_INFO "%s: tun_set_iff\n", tun->dev->name);
@ -785,10 +805,6 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
else else
tun->flags &= ~TUN_VNET_HDR; tun->flags &= ~TUN_VNET_HDR;
file->private_data = tun;
tun->attached = 1;
get_net(dev_net(tun->dev));
/* Make sure persistent devices do not get stuck in /* Make sure persistent devices do not get stuck in
* xoff state. * xoff state.
*/ */