From: akepner <akepner@riverbed.com>
To: netdev@vger.kernel.org
Cc: e1000-devel@lists.sourceforge.net
Subject: Re: e1000e: avoid NULL pointer deref in e1000_print_hw_hang()
Date: Wed, 20 Mar 2013 18:52:58 -0700 [thread overview]
Message-ID: <20130321015258.GA910@riverbed.com> (raw)
In-Reply-To: <20130321014005.GD6755@riverbed.com>
(Resending - the previous version was against our local
tree, not the upstream tree.)
If an e1000e interface is brought down, and subsequently
'print_hang_task' is run we'll dereference a NULL 'buffer_info'
pointer and crash with something like this:
Mar 19 13:20:27 BUG: unable to handle kernel NULL pointer dereference at 000000000000001a
Mar 19 13:20:27 IP: [<ffffffff8145040c>] e1000_print_hw_hang+0x4c/0x390
Mar 19 13:20:27 PGD 82668067 PUD 763f6067 PMD 0
Mar 19 13:20:27 Oops: 0000 [#1] SMP
Mar 19 13:20:27 last sysfs file: /sys/devices/virtual/bypass/2-3/ping_watchdog
Mar 19 13:20:27 CPU 3
Mar 19 13:20:27 Pid: 18, comm: events/3 Tainted: P ---------------- 2.6.32 #1 empty
Mar 19 13:20:28 RIP: 0010:[<ffffffff8145040c>] [<ffffffff8145040c>] e1000_print_hw_hang+0x4c/0x390
Mar 19 13:20:28 RSP: 0000:ffff88019ee71d40 EFLAGS: 00010202
Mar 19 13:20:28 RAX: 0000000000000000 RBX: ffff88019b64b3a0 RCX: ffff88019b648700
Mar 19 13:20:28 RDX: 0000000000000000 RSI: ffff88019b648000 RDI: ffff88019b64b3a0
Mar 19 13:20:28 RBP: ffff88019ee71e30 R08: 0000000000000000 R09: 0000000000000000
Mar 19 13:20:28 R10: ffff880028401340 R11: 0000000000000006 R12: ffff88019b5865c0
Mar 19 13:20:28 R13: ffffffff814503c0 R14: 0000000000000000 R15: ffff8800282d8a08
Mar 19 13:20:28 FS: 0000000000000000(0000) GS:ffff8800282c0000(0000) knlGS:0000000000000000
Mar 19 13:20:28 CS: 0010 DS: 0018 ES: 0018 CR0: 000000008005003b
Mar 19 13:20:28 CR2: 000000000000001a CR3: 0000000076364000 CR4: 00000000000406e0
Mar 19 13:20:28 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
Mar 19 13:20:28 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Mar 19 13:20:28 Process events/3 (pid: 18, threadinfo ffff88019ee70000, task ffff88019ee6f560)
Mar 19 13:20:28 Stack:
Mar 19 13:20:28 0000000000000000 0000000000000001 ffff88019ee71fd8 ffffea000173d740
Mar 19 13:20:28 <0> ffff88019ee71dd0 0000000000000282 ffff88019ee71fd8 ffff8800282d8a08
Mar 19 13:20:29 <0> ffff88019ee71da0 ffffffff811045ed ffffea000173d740 0000000000000000
Mar 19 13:20:29 Call Trace:
Mar 19 13:20:29 [<ffffffff811045ed>] ? free_hot_page+0x2d/0x60
Mar 19 13:20:29 [<ffffffff81127a6c>] ? __vunmap+0x9c/0x120
Mar 19 13:20:29 [<ffffffff8116cfb0>] ? free_fdtable_work+0x0/0x90
Mar 19 13:20:29 [<ffffffff814503c0>] ? e1000_print_hw_hang+0x0/0x390
Mar 19 13:20:29 [<ffffffff81081120>] worker_thread+0x170/0x2a0
Mar 19 13:20:29 [<ffffffff81086a60>] ? autoremove_wake_function+0x0/0x40
Mar 19 13:20:29 [<ffffffff81080fb0>] ? worker_thread+0x0/0x2a0
Mar 19 13:20:29 [<ffffffff810866f6>] kthread+0x96/0xa0
Mar 19 13:20:29 [<ffffffff8100c0ea>] child_rip+0xa/
(This was seen on a pretty old kernel/driver, but looks like
the same bug is still possible.)
Signed-off-by: <akepner@riverbed.com>
---
diff --git a/drivers/net/ethernet/intel/e1000e/netdev.c b/drivers/net/ethernet/intel/e1000e/netdev.c
index 948b86ff..46a3ea4 100644
--- a/drivers/net/ethernet/intel/e1000e/netdev.c
+++ b/drivers/net/ethernet/intel/e1000e/netdev.c
@@ -1070,18 +1070,25 @@ static void e1000_print_hw_hang(struct work_struct *work)
struct e1000_adapter *adapter = container_of(work,
struct e1000_adapter,
print_hang_task);
- struct net_device *netdev = adapter->netdev;
- struct e1000_ring *tx_ring = adapter->tx_ring;
- unsigned int i = tx_ring->next_to_clean;
- unsigned int eop = tx_ring->buffer_info[i].next_to_watch;
- struct e1000_tx_desc *eop_desc = E1000_TX_DESC(*tx_ring, eop);
- struct e1000_hw *hw = &adapter->hw;
+ struct net_device *netdev;
+ struct e1000_ring *tx_ring;
+ unsigned int i;
+ unsigned int eop;
+ struct e1000_tx_desc *eop_desc;
+ struct e1000_hw *hw;
u16 phy_status, phy_1000t_status, phy_ext_status;
u16 pci_status;
if (test_bit(__E1000_DOWN, &adapter->state))
return;
+ netdev = adapter->netdev;
+ tx_ring = adapter->tx_ring;
+ i = tx_ring->next_to_clean;
+ eop = tx_ring->buffer_info[i].next_to_watch;
+ eop_desc = E1000_TX_DESC(*tx_ring, eop);
+ hw = &adapter->hw;
+
if (!adapter->tx_hang_recheck &&
(adapter->flags2 & FLAG2_DMA_BURST)) {
/* May be block on write-back, flush and detect again
prev parent reply other threads:[~2013-03-21 1:53 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-03-21 1:40 e1000e: avoid NULL pointer deref in e1000_print_hw_hang() akepner
2013-03-21 1:52 ` akepner [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130321015258.GA910@riverbed.com \
--to=akepner@riverbed.com \
--cc=e1000-devel@lists.sourceforge.net \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).