From patchwork Thu Jul 31 19:48:59 2014
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Daniel Borkmann <dborkman@redhat.com>
X-Patchwork-Id: 375410
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id CDC75140081
	for <patchwork-incoming@ozlabs.org>;
	Fri,  1 Aug 2014 05:49:23 +1000 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751900AbaGaTtQ (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Thu, 31 Jul 2014 15:49:16 -0400
Received: from mx1.redhat.com ([209.132.183.28]:21116 "EHLO mx1.redhat.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1751796AbaGaTtO (ORCPT <rfc822;netdev@vger.kernel.org>);
	Thu, 31 Jul 2014 15:49:14 -0400
Received: from int-mx10.intmail.prod.int.phx2.redhat.com
	(int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s6VJn1w2016315
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256
	verify=OK); Thu, 31 Jul 2014 15:49:01 -0400
Received: from localhost (vpn1-6-63.ams2.redhat.com [10.36.6.63])
	by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with
	ESMTP id s6VJn059013465; Thu, 31 Jul 2014 15:49:00 -0400
From: Daniel Borkmann <dborkman@redhat.com>
To: davem@davemloft.net
Cc: netdev@vger.kernel.org, Pablo Neira <pablo@netfilter.org>,
	Alexei Starovoitov <ast@plumgrid.com>, Jiri Pirko <jiri@resnulli.us>
Subject: [PATCH net-next] team: fix releasing uninitialized pointer to BPF
	prog
Date: Thu, 31 Jul 2014 21:48:59 +0200
Message-Id: <1406836139-11943-1-git-send-email-dborkman@redhat.com>
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.23
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

Commit 34c5bd66e5ed introduced the possibility that an
uninitialized pointer on the stack (orig_fp) can call into
sk_unattached_filter_destroy() when its value is non NULL.

Before that commit orig_fp was only destroyed in the same
block where it was assigned a valid BPF prog before. Fix it
up by initializing it to NULL.

Fixes: 34c5bd66e5ed ("net: filter: don't release unattached filter through call_rcu()")
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Cc: Pablo Neira <pablo@netfilter.org>
Cc: Alexei Starovoitov <ast@plumgrid.com>
Cc: Jiri Pirko <jiri@resnulli.us>
---
 drivers/net/team/team_mode_loadbalance.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/team/team_mode_loadbalance.c b/drivers/net/team/team_mode_loadbalance.c
index 7106f34..d7be9b3 100644
--- a/drivers/net/team/team_mode_loadbalance.c
+++ b/drivers/net/team/team_mode_loadbalance.c
@@ -272,7 +272,7 @@ static int lb_bpf_func_set(struct team *team, struct team_gsetter_ctx *ctx)
 {
 	struct lb_priv *lb_priv = get_lb_priv(team);
 	struct sk_filter *fp = NULL;
-	struct sk_filter *orig_fp;
+	struct sk_filter *orig_fp = NULL;
 	struct sock_fprog_kern *fprog = NULL;
 	int err;