r8169 null pointer dereference

r8169 null pointer dereference

[Jay Cliburn]

Francois,

I get this on 2.6.21-rc5 and earlier kernels going back to at least
2.6.20-git14, both i386 and x86_64, dual-core AM2 and LGA775
motherboards, using two different RTL8169 PCI add-in cards.  Has anyone
else reported it?

Unable to handle kernel NULL pointer dereference at  
 [<ffffffff883b43e5>] :r8169:rtl8169_rx_interrupt+0x5d/0x529
PGD 1d6bb067 PUD 1d6b9067 PMD 0 
Oops: 0000 [1] SMP 
last sysfs file: /class/net/eth1/address
CPU 1 
Modules linked in: r8169 i915 drm w83627ehf hwmon i2c_isa eeprom nf_conntrack_nd
Pid: 2689, comm: ip Not tainted 2.6.20-1.3024.fc7 #1
RIP: 0010:[<ffffffff883b43e5>]  [<ffffffff883b43e5>] :r8169:rtl8169_rx_interrup9
RSP: 0018:ffff81003f73be10  EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff81001d546000 RCX: ffffffff8020cb04
RDX: 0000000000000000 RSI: ffff81001d546900 RDI: ffff81001d546000
RBP: ffff81003f73be60 R08: 0000000000000001 R09: 0000000000000001
R10: 0000000000000001 R11: ffffffff80263d40 R12: ffff81001d546900
R13: 0000000000000000 R14: ffff81001d546900 R15: 00000000fffcb85d
FS:  00002aaaaaac6820(0000) GS:ffff81003f783d58(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 0000000000000000 CR3: 000000001d623000 CR4: 00000000000006e0
Process ip (pid: 2689, threadinfo ffff81001d65a000, task ffff81001d680080)
Stack:  ffff81001d6807d8 ffff81001d546000 000000001d680080 0000000000000040
 ffff81001d6807a0 ffff81001d546000 ffff81001d546000 ffff8100026281d0
 ffff81001d546900 00000000fffcb85d ffff81003f73bec0 ffffffff883b6a10
Call Trace:
 <IRQ>  [<ffffffff883b6a10>] :r8169:rtl8169_poll+0x45/0x203
 [<ffffffff8020cbba>] net_rx_action+0xb0/0x1cf
 [<ffffffff80292d0a>] run_timer_softirq+0x1d0/0x1db
 [<ffffffff883b4fa3>] :r8169:rtl8169_interrupt+0x0/0x207
 [<ffffffff80211ca6>] __do_softirq+0x5f/0xe3
 [<ffffffff8025d31c>] call_softirq+0x1c/0x28
 [<ffffffff8026be1b>] do_softirq+0x3d/0xab
 [<ffffffff80290089>] irq_exit+0x4e/0x50
 [<ffffffff8027612d>] smp_apic_timer_interrupt+0x48/0x5a
 [<ffffffff8025cdcb>] apic_timer_interrupt+0x6b/0x70
 <EOI>  [<ffffffff802bcd03>] request_irq+0xb/0x11f
 [<ffffffff802bcddb>] request_irq+0xe3/0x11f
 [<ffffffff883b544f>] :r8169:rtl8169_open+0x56/0x1d9
 [<ffffffff80410364>] dev_open+0x37/0x79
 [<ffffffff8040ea60>] dev_change_flags+0x5d/0x122
 [<ffffffff80443fc8>] devinet_ioctl+0x259/0x5e9
 [<ffffffff80444618>] inet_ioctl+0x71/0x8f
 [<ffffffff80406de8>] sock_ioctl+0x1db/0x1fc
 [<ffffffff802414e5>] do_ioctl+0x2a/0x77
 [<ffffffff80230bb1>] vfs_ioctl+0x260/0x27d
 [<ffffffff8024bc6e>] sys_ioctl+0x5f/0x82
 [<ffffffff8025c2b5>] tracesys+0xdc/0xe1


Code: 41 8b 5d 00 85 db 0f 88 f7 03 00 00 f7 c3 00 00 20 00 74 60 
RIP  [<ffffffff883b43e5>] :r8169:rtl8169_rx_interrupt+0x5d/0x529
 RSP <ffff81003f73be10>
CR2: 0000000000000000
Kernel panic - not syncing: Aiee, killing interrupt handler!

Re: r8169 null pointer dereference

[Francois Romieu]

Jay Cliburn <jacliburn@bellsouth.net> :
> Francois,
> 
> I get this on 2.6.21-rc5 and earlier kernels going back to at least
> 2.6.20-git14, both i386 and x86_64, dual-core AM2 and LGA775
> motherboards, using two different RTL8169 PCI add-in cards.  Has anyone
> else reported it?

No. It does not look like a post 2.6.20 r8169 regresssion. Can you publish
the output of an 'objdump -S r8169.ko' someplace and test the patch below
against 2.6.21-rc5

diff --git a/drivers/net/r8169.c b/drivers/net/r8169.c
index 521b5f0..2ecf8e9 100644
--- a/drivers/net/r8169.c
+++ b/drivers/net/r8169.c
@@ -1751,16 +1751,10 @@ static int rtl8169_open(struct net_devic
 {
 	struct rtl8169_private *tp = netdev_priv(dev);
 	struct pci_dev *pdev = tp->pci_dev;
-	int retval;
+	int retval = -ENOMEM;
 
-	rtl8169_set_rxbufsize(tp, dev);
 
-	retval =
-	    request_irq(dev->irq, rtl8169_interrupt, IRQF_SHARED, dev->name, dev);
-	if (retval < 0)
-		goto out;
-
-	retval = -ENOMEM;
+	rtl8169_set_rxbufsize(tp, dev);
 
 	/*
 	 * Rx and Tx desscriptors needs 256 bytes alignment.
@@ -1769,19 +1763,24 @@ static int rtl8169_open(struct net_devic
 	tp->TxDescArray = pci_alloc_consistent(pdev, R8169_TX_RING_BYTES,
 					       &tp->TxPhyAddr);
 	if (!tp->TxDescArray)
-		goto err_free_irq;
+		goto out;
 
 	tp->RxDescArray = pci_alloc_consistent(pdev, R8169_RX_RING_BYTES,
 					       &tp->RxPhyAddr);
 	if (!tp->RxDescArray)
-		goto err_free_tx;
+		goto err_free_tx_0;
 
 	retval = rtl8169_init_ring(dev);
 	if (retval < 0)
-		goto err_free_rx;
+		goto err_free_rx_1;
 
 	INIT_DELAYED_WORK(&tp->task, NULL);
 
+	retval = request_irq(dev->irq, rtl8169_interrupt, IRQF_SHARED,
+			     dev->name, dev);
+	if (retval < 0)
+		goto err_release_ring_2;
+
 	rtl8169_hw_start(dev);
 
 	rtl8169_request_timer(dev);
@@ -1790,14 +1789,14 @@ static int rtl8169_open(struct net_devic
 out:
 	return retval;
 
-err_free_rx:
+err_release_ring_2:
+	rtl8169_rx_clear(tp);
+err_free_rx_1:
 	pci_free_consistent(pdev, R8169_RX_RING_BYTES, tp->RxDescArray,
 			    tp->RxPhyAddr);
-err_free_tx:
+err_free_tx_0:
 	pci_free_consistent(pdev, R8169_TX_RING_BYTES, tp->TxDescArray,
 			    tp->TxPhyAddr);
-err_free_irq:
-	free_irq(dev->irq, dev);
 	goto out;
 }
 

Re: r8169 null pointer dereference

[Jay Cliburn]

On Sun, 1 Apr 2007 12:00:00 +0200
Francois Romieu <romieu@fr.zoreil.com> wrote:

> Jay Cliburn <jacliburn@bellsouth.net> :
> > Francois,
> > 
> > I get this on 2.6.21-rc5 and earlier kernels going back to at least
> > 2.6.20-git14, both i386 and x86_64, dual-core AM2 and LGA775
> > motherboards, using two different RTL8169 PCI add-in cards.  Has
> > anyone else reported it?
> 
> No. It does not look like a post 2.6.20 r8169 regresssion. Can you
> publish the output of an 'objdump -S r8169.ko' someplace 

ftp://ftp.hogchain.net/pub/linux/r8169/r8169-obj-dump.txt

> and test the patch below against 2.6.21-rc5

The patch works against 2.6.21-rc5-git1.  (First I had to do some minor
function reordering to get it to compile.)

I can now load the module without generating an oops.

(FYI, the new Fedora 7 Test 3 Live CD (i386) won't boot because of
this problem, at least on my AM2 and LGA775 systems.)

Thanks Francois.

> 
> diff --git a/drivers/net/r8169.c b/drivers/net/r8169.c
> index 521b5f0..2ecf8e9 100644
> --- a/drivers/net/r8169.c
> +++ b/drivers/net/r8169.c
> @@ -1751,16 +1751,10 @@ static int rtl8169_open(struct net_devic
>  {
>  	struct rtl8169_private *tp = netdev_priv(dev);
>  	struct pci_dev *pdev = tp->pci_dev;
> -	int retval;
> +	int retval = -ENOMEM;
>  
> -	rtl8169_set_rxbufsize(tp, dev);
>  
> -	retval =
> -	    request_irq(dev->irq, rtl8169_interrupt, IRQF_SHARED,
> dev->name, dev);
> -	if (retval < 0)
> -		goto out;
> -
> -	retval = -ENOMEM;
> +	rtl8169_set_rxbufsize(tp, dev);
>  
>  	/*
>  	 * Rx and Tx desscriptors needs 256 bytes alignment.
> @@ -1769,19 +1763,24 @@ static int rtl8169_open(struct net_devic
>  	tp->TxDescArray = pci_alloc_consistent(pdev,
> R8169_TX_RING_BYTES, &tp->TxPhyAddr);
>  	if (!tp->TxDescArray)
> -		goto err_free_irq;
> +		goto out;
>  
>  	tp->RxDescArray = pci_alloc_consistent(pdev,
> R8169_RX_RING_BYTES, &tp->RxPhyAddr);
>  	if (!tp->RxDescArray)
> -		goto err_free_tx;
> +		goto err_free_tx_0;
>  
>  	retval = rtl8169_init_ring(dev);
>  	if (retval < 0)
> -		goto err_free_rx;
> +		goto err_free_rx_1;
>  
>  	INIT_DELAYED_WORK(&tp->task, NULL);
>  
> +	retval = request_irq(dev->irq, rtl8169_interrupt,
> IRQF_SHARED,
> +			     dev->name, dev);
> +	if (retval < 0)
> +		goto err_release_ring_2;
> +
>  	rtl8169_hw_start(dev);
>  
>  	rtl8169_request_timer(dev);
> @@ -1790,14 +1789,14 @@ static int rtl8169_open(struct net_devic
>  out:
>  	return retval;
>  
> -err_free_rx:
> +err_release_ring_2:
> +	rtl8169_rx_clear(tp);
> +err_free_rx_1:
>  	pci_free_consistent(pdev, R8169_RX_RING_BYTES,
> tp->RxDescArray, tp->RxPhyAddr);
> -err_free_tx:
> +err_free_tx_0:
>  	pci_free_consistent(pdev, R8169_TX_RING_BYTES,
> tp->TxDescArray, tp->TxPhyAddr);
> -err_free_irq:
> -	free_irq(dev->irq, dev);
>  	goto out;
>  }
>