[PATCH] r8169: fix a race between PCI probe and dev_open

[PATCH] r8169: fix a race between PCI probe and dev_open

[Francois Romieu]

Call chain:
-> rtl8169_init_one
   -> register_netdev                  (dev_open starts to race...)
   -> rtl8169_init_phy
      -> rtl8169_set_speed
         -> tp->set_speed
         -> mod_timer(&tp->timer, ...) (if netif_running() is true)

As netif_running() is true just before dev->open() is issued and the
timer is initialized during dev->open, mod_timer() meets an uninitialized
tp->timer and oopses.

rtl8169_init_phy is only used on rtl8169_init_one so it's fine to never
ask it to activate the timer: the racing dev->open will do it anyway.

Signed-off-by: Francois Romieu <romieu@fr.zoreil.com>
Cc: Bernhard Walle <bwalle@suse.de>
---
 drivers/net/r8169.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/drivers/net/r8169.c b/drivers/net/r8169.c
index 577babd..3fc0611 100644
--- a/drivers/net/r8169.c
+++ b/drivers/net/r8169.c
@@ -1448,7 +1448,7 @@ static void rtl8169_init_phy(struct net_device *dev, struct rtl8169_private *tp)
 
 	rtl8169_phy_reset(dev, tp);
 
-	rtl8169_set_speed(dev, autoneg, speed, duplex);
+	tp->set_speed(dev, autoneg, speed, duplex);
 
 	if ((RTL_R8(PHYstatus) & TBI_Enable) && netif_msg_link(tp))
 		printk(KERN_INFO PFX "%s: TBI auto-negotiating\n", dev->name);
-- 
1.4.4.4

Re: [PATCH] r8169: fix a race between PCI probe and dev_open

[Linus Torvalds]

On Wed, 31 Jan 2007, Francois Romieu wrote:

> Call chain:
> -> rtl8169_init_one
>    -> register_netdev                  (dev_open starts to race...)
>    -> rtl8169_init_phy
>       -> rtl8169_set_speed
>          -> tp->set_speed
>          -> mod_timer(&tp->timer, ...) (if netif_running() is true)
> 
> As netif_running() is true just before dev->open() is issued and the
> timer is initialized during dev->open, mod_timer() meets an uninitialized
> tp->timer and oopses.

Doesn't this basically mean that *any* use of "rtl8169_set_speed()" is 
buggy?

Anyway, I'm going to wait for somebody smarter than me to ACK this patch. 
Jeff?

		Linus

Re: [PATCH] r8169: fix a race between PCI probe and dev_open

[Herbert Xu]

Francois Romieu <romieu@fr.zoreil.com> wrote:
> 
> rtl8169_init_phy is only used on rtl8169_init_one so it's fine to never
> ask it to activate the timer: the racing dev->open will do it anyway.

Does rtl8169_init_phy need to occur after register_netdev? Normally
register_netdev should be the very last thing in a probe routine.

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: [PATCH] r8169: fix a race between PCI probe and dev_open

[Francois Romieu]

Linus Torvalds <torvalds@linux-foundation.org> :
[...]
> Doesn't this basically mean that *any* use of "rtl8169_set_speed()" is 
> buggy?

The second use of rtl8169_set_speed is in the change_mtu handler which
performs a complete down/cycle after a release of the timer. It's still
ugly though. If the current buggy behavior can be lived with, I'll
happily postpone the needed deeper changes.

-- 
Ueimor

Re: [PATCH] r8169: fix a race between PCI probe and dev_open

[Francois Romieu]

Herbert Xu <herbert@gondor.apana.org.au> :
[...]
> Normally register_netdev should be the very last thing in a probe routine.

Yes. I did not feel safe changing it before 2.6.20.

-- 
Ueimor

Re: [PATCH] r8169: fix a race between PCI probe and dev_open

[Jeff Garzik]

[-- Attachment #1: Type: text/plain, Size: 1244 bytes --]

Linus Torvalds wrote:
> 
> On Wed, 31 Jan 2007, Francois Romieu wrote:
> 
>> Call chain:
>> -> rtl8169_init_one
>>    -> register_netdev                  (dev_open starts to race...)
>>    -> rtl8169_init_phy
>>       -> rtl8169_set_speed
>>          -> tp->set_speed
>>          -> mod_timer(&tp->timer, ...) (if netif_running() is true)
>>
>> As netif_running() is true just before dev->open() is issued and the
>> timer is initialized during dev->open, mod_timer() meets an uninitialized
>> tp->timer and oopses.
> 
> Doesn't this basically mean that *any* use of "rtl8169_set_speed()" is 
> buggy?

No, just the first use, after which the one-time initialization occurs.


> Anyway, I'm going to wait for somebody smarter than me to ACK this patch. 
> Jeff?

I would rather have something more like the attached patch, which 
initializes the timer with the rest of the private-struct 
initialization.  Just like most other net drivers do.


And Herbert Xu wrote:
> Does rtl8169_init_phy need to occur after register_netdev? Normally
> register_netdev should be the very last thing in a probe routine.

Quite correct.



So... anybody wanna test my patch (didn't compile it, but it looks 
right) and confirm that it fixes things?

	Jeff





[-- Attachment #2: patch --]
[-- Type: text/plain, Size: 890 bytes --]

diff --git a/drivers/net/r8169.c b/drivers/net/r8169.c
index 577babd..ce66b2a 100644
--- a/drivers/net/r8169.c
+++ b/drivers/net/r8169.c
@@ -1369,11 +1369,7 @@ static inline void rtl8169_request_timer(struct net_device *dev)
 	    (tp->phy_version >= RTL_GIGA_PHY_VER_H))
 		return;
 
-	init_timer(timer);
-	timer->expires = jiffies + RTL8169_PHY_TIMEOUT;
-	timer->data = (unsigned long)(dev);
-	timer->function = rtl8169_phy_timer;
-	add_timer(timer);
+	mod_timer(timer, jiffies + RTL8169_PHY_TIMEOUT);
 }
 
 #ifdef CONFIG_NET_POLL_CONTROLLER
@@ -1686,6 +1682,10 @@ rtl8169_init_one(struct pci_dev *pdev, const struct pci_device_id *ent)
 	tp->mmio_addr = ioaddr;
 	tp->align = rtl_cfg_info[ent->driver_data].align;
 
+	init_timer(&tp->timer);
+	tp->timer.data = (unsigned long)(dev);
+	tp->timer.function = rtl8169_phy_timer;
+
 	spin_lock_init(&tp->lock);
 
 	rc = register_netdev(dev);