bonding: Fix race condition between bond_enslave() and bond_3ad_update_lacp_rate()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

port->slave can be NULL since it's being initialized in bond_enslave
thus dereferencing a NULL pointer in bond_3ad_update_lacp_rate()
Also fix a minor bug, which could cause a port not to have
AD_STATE_LACP_TIMEOUT since there's no sync between
bond_3ad_update_lacp_rate() and bond_3ad_bind_slave(), by changing
the read_lock to a write_lock_bh in bond_3ad_update_lacp_rate().

Signed-off-by: Nikolay Aleksandrov <nikolay@redhat.com>
Signed-off-by: Jay Vosburgh <fubar@us.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

nikolay@redhat.com and committed by

David S. Miller 13 years ago b59340c2 ccae0e50

+4 -2

1 changed file

expand all

drivers

net

bonding

bond_3ad.c

+4 -2

drivers/net/bonding/bond_3ad.c

··· 2494 2494 struct port *port = NULL; 2495 2495 int lacp_fast; 2496 2496 2497 - read_lock(&bond->lock); 2497 + write_lock_bh(&bond->lock); 2498 2498 lacp_fast = bond->params.lacp_fast; 2499 2499 2500 2500 bond_for_each_slave(bond, slave, i) { 2501 2501 port = &(SLAVE_AD_INFO(slave).port); 2502 + if (port->slave == NULL) 2503 + continue; 2502 2504 __get_state_machine_lock(port); 2503 2505 if (lacp_fast) 2504 2506 port->actor_oper_port_state |= AD_STATE_LACP_TIMEOUT; ··· 2509 2507 __release_state_machine_lock(port); 2510 2508 } 2511 2509 2512 - read_unlock(&bond->lock); 2510 + write_unlock_bh(&bond->lock); 2513 2511 }