• Jiri Pirko's avatar
    team: fix possible null pointer dereference in team_handle_frame · c8fc8473
    Jiri Pirko authored
    commit 57e59563 upstream.
    
    Currently following race is possible in team:
    
    CPU0                                        CPU1
                                                team_port_del
                                                  team_upper_dev_unlink
                                                    priv_flags &= ~IFF_TEAM_PORT
    team_handle_frame
      team_port_get_rcu
        team_port_exists
          priv_flags & IFF_TEAM_PORT == 0
        return NULL (instead of port got
                     from rx_handler_data)
                                                  netdev_rx_handler_unregister
    
    The thing is that the flag is removed before rx_handler is unregistered.
    If team_handle_frame is called in between, team_port_exists returns 0
    and team_port_get_rcu will return NULL.
    So do not check the flag here. It is guaranteed by netdev_rx_handler_unregister
    that team_handle_frame will always see valid rx_handler_data pointer.
    Signed-off-by: default avatarJiri Pirko <jiri@resnulli.us>
    Fixes: 3d249d4c ("net: introduce ethernet teaming device")
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
    c8fc8473
team.c 68.7 KB