Linux Kernel Team Subsystem Port Override Priority Change Vulnerability

A vulnerability in the Linux kernel's team subsystem has been identified, specifically within the port override priority change handling. This issue arises when a port is disabled after being enabled, leading to a situation where priority changes can cause list corruption. The vulnerability was triggered by a syzkaller fuzzer, which reported a kernel bug related to list management. The problem occurs in the 'team_queue_override_port_prio_changed' function, where the check for whether a port is enabled was incorrectly implemented. As a result, the function attempted to remove a port from a list that it had already been removed from, causing a kernel panic.

Impact

Exploitation of this vulnerability leads to a kernel bug, causing a crash due to an invalid opcode error. This is accompanied by a list management corruption issue, where the previous entry in the list is poisoned, indicating a serious integrity problem in the list handling.

Reproduction

The vulnerability can be reproduced by enabling a port in the team subsystem, ensuring it has a non-zero queue ID, and then disabling the port. After the port is disabled, a priority change can be initiated, which will trigger the vulnerability. The 'team_queue_override_port_prio_changed' function will attempt to remove the port from a list, but since the port was already disabled and removed, it will cause a kernel bug by referencing a poisoned list entry.

Remediation

The vulnerability has been addressed in the Linux kernel by correcting the check for port status in the 'team_queue_override_port_prio_changed' function. Users should upgrade to the latest version of the Linux kernel where this fix has been applied.