ethtool_get_drvinfo crash in xen/stable.2.6.32.x

ethtool_get_drvinfo crash in xen/stable.2.6.32.x

[M A Young]

I am getting the following crash with a xen/stable.2.6.32.x kernel 
running on a slightly patched xen-4.0.1.

 	Michael Young

BUG: unable to handle kernel NULL pointer dereference at 0000000000000148
IP: [<ffffffff813bcfe2>] ethtool_get_drvinfo+0x106/0x1a5
PGD d8040067 PUD d8041067 PMD 0
Oops: 0000 [#1] SMP
last sysfs file: /sys/devices/pci0000:00/0000:00:1c.0/0000:09:00.0/irq
CPU 0
Modules linked in: ebtable_nat ebtables ipt_MASQUERADE iptable_nat nf_nat 
bridge
  stp llc rfcomm sco bnep l2cap xt_physdev ip6t_REJECT nf_conntrack_ipv6 
ip6table
_filter ip6_tables ipv6 xen_netback xen_blkback blkback_pagemap xen_gntdev 
xen_e
vtchn xenfs uinput snd_hda_codec_idt snd_hda_codec_intelhdmi snd_hda_intel 
snd_h
da_codec arc4 ecb snd_hwdep iwlagn snd_seq snd_seq_device iwlcore snd_pcm 
snd_ti
mer snd mac80211 uvcvideo btusb videodev soundcore sky2 cfg80211 microcode 
bluet
ooth snd_page_alloc v4l1_compat v4l2_compat_ioctl32 dell_laptop iTCO_wdt 
rfkill
iTCO_vendor_support i2c_i801 joydev dell_wmi serio_raw dcdbas wmi 
sdhci_pci fire
wire_ohci firewire_core crc_itu_t sdhci mmc_core i915 drm_kms_helper drm 
i2c_alg
o_bit i2c_core video output [last unloaded: scsi_wait_scan]
Pid: 1390, comm: irqbalance Not tainted 
2.6.32.26-174.2.xendom0.fc12.x86_64 #1 I
nspiron 1525
RIP: e030:[<ffffffff813bcfe2>]  [<ffffffff813bcfe2>] 
ethtool_get_drvinfo+0x106/0
x1a5
RSP: e02b:ffff8800d8867998  EFLAGS: 00010246
RAX: 0000000000000006 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000020 RSI: ffffffffa023a3c4 RDI: ffff8800d88679a2
RBP: ffff8800d8867a88 R08: ffff8800d886799c R09: 0000000000000006
R10: 0000000000000001 R11: 0000000000000001 R12: ffff880002e40000
R13: 00007ffff84e2230 R14: ffff8800d8867998 R15: 00000000ffffffa1
FS:  00007f9a2e20b740(0000) GS:ffff8800081d0000(0000) 
knlGS:0000000000000000
CS:  e033 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 0000000000000148 CR3: 00000000d7651000 CR4: 0000000000002660
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process irqbalance (pid: 1390, threadinfo ffff8800d8866000, task 
ffff8800d880975
0)
Stack:
616c776900000003 0000000000006e67 0000000000000000 0000000000000000
  0000000000000000 0000000000000000 0000000000000000 0000000000000000
  0000000000000000 0000000000000000 0000000000000000 0000000000000000
Call Trace:
[<ffffffff813bd298>] dev_ethtool+0x93/0x1153
[<ffffffff810dd957>] ? __alloc_pages_nodemask+0x122/0x62d
[<ffffffff810dd957>] ? __alloc_pages_nodemask+0x122/0x62d
[<ffffffff811ee21e>] ? avc_has_perm+0x5c/0x6e
[<ffffffff811158ad>] ? try_get_mem_cgroup_from_mm+0x39/0x49
[<ffffffff8100cf3f>] ? xen_pte_val+0x69/0x6d
[<ffffffff8100c555>] ? __raw_callee_save_xen_pte_val+0x15/0x23
[<ffffffff8100efcd>] ? xen_force_evtchn_callback+0xd/0xf
[<ffffffff8100f702>] ? check_events+0x12/0x20
[<ffffffff8100f6ef>] ? xen_restore_fl_direct_end+0x0/0x1
[<ffffffff810dcbfe>] ? free_hot_cold_page+0x17c/0x18b
[<ffffffff813b7b8e>] ? dev_name_hash+0x1f/0x61
[<ffffffff81046da5>] ? __might_sleep+0x28/0xef
[<ffffffff813bc524>] dev_ioctl+0x510/0x662
[<ffffffff811efd88>] ? inode_has_perm+0x7a/0x90
[<ffffffff813a9d79>] sock_ioctl+0x216/0x223
[<ffffffff8100f6ef>] ? xen_restore_fl_direct_end+0x0/0x1
[<ffffffff8110f32e>] ? kmem_cache_alloc+0xa7/0x114
[<ffffffff8112c658>] vfs_ioctl+0x22/0x87
[<ffffffff8112cbb4>] do_vfs_ioctl+0x47b/0x4c1
[<ffffffff8112cc50>] sys_ioctl+0x56/0x79
[<ffffffff813aaed0>] ? sys_socket+0x40/0x5c
[<ffffffff81012d32>] system_call_fastpath+0x16/0x1b
Code: 01 00 00 00 4c 89 e7 ff 93 40 01 00 00 85 c0 78 03 89 45 c4 be 02 00 
00 00
  4c 89 e7 ff 93 40 01 00 00 85 c0 78 32 89 45 c0 eb 2d <48> 8b 83 48 01 00 
00 48
  85 c0 74 08 4c 89 e7 ff d0 89 45 c8 48
RIP  [<ffffffff813bcfe2>] ethtool_get_drvinfo+0x106/0x1a5
RSP <ffff8800d8867998>

[PATCH xen/stable-2.6.32.x] fix ethtool_get_drvinfo NULL pointer dereference

[Paolo Bonzini]

Fixes the following crash on "ethtool -i":

BUG: unable to handle kernel NULL pointer dereference at 0000000000000148
IP: [<ffffffff813bcfe2>] ethtool_get_drvinfo+0x106/0x1a5
PGD d8040067 PUD d8041067 PMD 0
Oops: 0000 [#1] SMP
last sysfs file: /sys/devices/pci0000:00/0000:00:1c.0/0000:09:00.0/irq 
...
Call Trace:
[<ffffffff813bd298>] dev_ethtool+0x93/0x1153
[<ffffffff810dd957>] ? __alloc_pages_nodemask+0x122/0x62d
[<ffffffff810dd957>] ? __alloc_pages_nodemask+0x122/0x62d
[<ffffffff811ee21e>] ? avc_has_perm+0x5c/0x6e
[<ffffffff811158ad>] ? try_get_mem_cgroup_from_mm+0x39/0x49 
...
RIP  [<ffffffff813bcfe2>] ethtool_get_drvinfo+0x106/0x1a5 

The backport of 01414802 was incomplete.  This is the patch we are
using in RHEL6.

Reported-by: M A Young <m.a.young@durham.ac.uk>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Cc: Jeremy Fitzhardinge <jeremy.fitzhardinge@citrix.com>
---
 ethtool.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/core/ethtool.c b/net/core/ethtool.c
index ff35ce3..8ca3a26 100644
--- a/net/core/ethtool.c
+++ b/net/core/ethtool.c
@@ -211,9 +211,9 @@ static int ethtool_get_drvinfo(struct net_device *dev, void __user *useraddr)
 	} else {
 		/* code path for obsolete hooks */
 
-		if (ops->self_test_count)
+		if (ops && ops->self_test_count)
 			info.testinfo_len = ops->self_test_count(dev);
-		if (ops->get_stats_count)
+		if (ops && ops->get_stats_count)
 			info.n_stats = ops->get_stats_count(dev);
 	}
 	if (ops && ops->get_regs_len)