On Thu, Jan 26, 2017 at 09:13:19PM +0000, Nick Hudson wrote:
> @@ -803,32 +790,14 @@ tunread(dev_t dev, struct uio *uio, int
> goto out;
> }
> tp->tun_flags |= TUN_RWAIT;
> - if (mtsleep((void *)tp, PZERO|PCATCH|PNORELOCK,
> - "tunread", 0, &tp->tun_lock) != 0) {
> + if (cv_wait_sig(&tp->tun_cv, &tp->tun_lock)) {
> error = EINTR;
> - goto out_nolock;
> - } else {
> - /*
> - * Maybe the interface was destroyed while
> - * we were sleeping, so let's ensure that
> - * we're looking at the same (valid) tun
> - * interface before looping.
> - */
> - tp = tun_find_unit(dev);
> - if (tp == NULL) {
> - error = ENXIO;
> - goto out_nolock;
> - }
> - if (tp->tun_if.if_index != index) {
> - error = ENXIO;
> - goto out;
> - }
> + goto out;
> }
> }
If you goto out if tp is NULL, it will dereference it trying to
mutex_exit(&tp->tun_lock);
