From: Jiayuan Chen <jiayuan.chen@linux.dev>
To: Weiming Shi <bestswngs@gmail.com>, Jiri Pirko <jiri@resnulli.us>,
Andrew Lunn <andrew+netdev@lunn.ch>,
"David S . Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>
Cc: netdev@vger.kernel.org, Xiang Mei <xmei5@asu.edu>
Subject: Re: [PATCH net v4] net: team: fix NULL pointer dereference in team_xmit during mode change
Date: Thu, 21 May 2026 18:33:11 +0800 [thread overview]
Message-ID: <cd952f45-e56f-4ba4-98fb-997a288d94ec@linux.dev> (raw)
In-Reply-To: <20260521081159.1491563-3-bestswngs@gmail.com>
On 5/21/26 4:12 PM, Weiming Shi wrote:
> __team_change_mode() clears team->ops with memset() before restoring
> safe dummy handlers via team_adjust_ops(). A concurrent team_xmit()
> running under RCU on another CPU can read team->ops.transmit during
> this window and call a NULL function pointer, crashing the kernel.
>
> The race requires a mode change (CAP_NET_ADMIN) concurrent with
> transmit on the team device.
>
> BUG: kernel NULL pointer dereference, address: 0000000000000000
> Oops: 0010 [#1] SMP KASAN NOPTI
> RIP: 0010:0x0
> Call Trace:
> team_xmit (drivers/net/team/team_core.c:1853)
> dev_hard_start_xmit (net/core/dev.c:3904)
> __dev_queue_xmit (net/core/dev.c:4871)
> packet_sendmsg (net/packet/af_packet.c:3109)
> __sys_sendto (net/socket.c:2265)
>
> The original code assumed that no ports means no traffic, so mode
> changes could freely memset()/memcpy() the ops. AF_PACKET with
> forced carrier breaks that assumption.
>
> Prevent the race instead of making it safe: replace memset()/memcpy()
> with per-field updates that never touch transmit or receive. Those
> two handlers are managed solely by team_adjust_ops(), which already
> installs dummies when tx_en_port_count == 0 (always true during mode
> change since no ports are present). WRITE_ONCE/READ_ONCE prevent
> store/load tearing on the handler pointers.
>
> synchronize_net() before exit_op() drains in-flight readers that may
> still reference old mode state from before port removal switched the
> handlers to dummies.
>
> Fixes: 3d249d4ca7d0 ("net: introduce ethernet teaming device")
> Reported-by: Xiang Mei <xmei5@asu.edu>
> Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev>
next prev parent reply other threads:[~2026-05-21 10:33 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-21 8:12 [PATCH net v4] net: team: fix NULL pointer dereference in team_xmit during mode change Weiming Shi
2026-05-21 10:33 ` Jiayuan Chen [this message]
2026-05-26 9:10 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cd952f45-e56f-4ba4-98fb-997a288d94ec@linux.dev \
--to=jiayuan.chen@linux.dev \
--cc=andrew+netdev@lunn.ch \
--cc=bestswngs@gmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=jiri@resnulli.us \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=xmei5@asu.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.