NULL pointer dereference in sysfs_hash_and_remove()

NULL pointer dereference in sysfs_hash_and_remove()

[Martin Josefsson]

Hi

I compiled 2.6.0-test6 and ran it on a laptop with cardbus.
I have an Xircom NIC and if I remove it during operation I get the bug
below.

I have yenta_socket and xircom_cb loaded as modules.


Unable to handle kernel NULL pointer dereference at virtual address 00000068
 printing eip:
c017cd75
*pde = 0df96067
*pte = 00000000
Oops: 0002 [#1]
CPU:    0
EIP:    0060:[<c017cd75>]    Not tainted
EFLAGS: 00010282
EIP is at sysfs_hash_and_remove+0x15/0x7d
eax: 00000000   ebx: c03109e4   ecx: 00000068   edx: ccf13dd0
esi: ccf13d60   edi: c03106e4   ebp: cea5c454   esp: cd0ede54
ds: 007b   es: 007b   ss: 0068
Process pccardd (pid: 528, threadinfo=cd0ec000 task=ce1c8740)
Stack: c017cd55 cd0ede60 c03109e4 ccf13d60 c017e231 ccf13d60 c02c390f ccf13d60 
       c0310a40 c017e368 ccf13d60 c0310a40 cfc2dc00 cfc2dd90 c023e937 cfc2dd98 
       c0310a40 cfc2dc00 cd0edeb4 c023b99a cfc2dc00 00000006 cfc2dc00 00000282 
Call Trace:
 [<c017cd55>] sysfs_get_dentry+0x65/0x70
 [<c017e231>] remove_files+0x31/0x40
 [<c017e368>] sysfs_remove_group+0x28/0x70
 [<c023e937>] netdev_unregister_sysfs+0x67/0x70
 [<c023b99a>] netdev_run_todo+0xea/0x1f0
 [<d086738c>] xircom_remove+0xac/0xd0 [xircom_cb]
 [<c01a9deb>] pci_device_remove+0x3b/0x40
 [<c01e9316>] device_release_driver+0x66/0x70
 [<c01e9455>] bus_remove_device+0x55/0xa0
 [<c01e81bd>] device_del+0x5d/0xa0
 [<c01e8213>] device_unregister+0x13/0x30
 [<c01a740e>] pci_destroy_dev+0x1e/0x70
 [<c01a752b>] pci_remove_behind_bridge+0x2b/0x40
 [<c0221b48>] shutdown_socket+0x88/0x120
 [<c0222263>] socket_remove+0x13/0x50
 [<c022230a>] socket_detect_change+0x6a/0x90
 [<c02224c8>] pccardd+0x198/0x220
 [<c011a980>] default_wake_function+0x0/0x30
 [<c011a980>] default_wake_function+0x0/0x30
 [<c0222330>] pccardd+0x0/0x220
 [<c01092a5>] kernel_thread_helper+0x5/0x10

Code: ff 48 68 78 63 89 34 24 8b 44 24 18 89 44 24 04 e8 66 ff ff 
 
-- 
/Martin

Re: NULL pointer dereference in sysfs_hash_and_remove()

[Maneesh Soni]

Hi Martin,

Here the dentry corresponding to the attribute subgroup seems to
be a negative dentry. We are ethier reomving the group more
than once or removing a non-existing attribute group. I suspect the
first thing more. Can you rebuild the kernel with DEBUG defined in 
fs/sysfs/dir.c and retest?. And send the dmesg log.

Thanks
Maneesh

On Fri, Oct 03, 2003 at 10:42:39PM +0000, Martin Josefsson wrote:
> Hi
> 
> I compiled 2.6.0-test6 and ran it on a laptop with cardbus.
> I have an Xircom NIC and if I remove it during operation I get the bug
> below.
> 
> I have yenta_socket and xircom_cb loaded as modules.
> 
> 
> Unable to handle kernel NULL pointer dereference at virtual address 00000068
>  printing eip:
> c017cd75
> *pde = 0df96067
> *pte = 00000000
> Oops: 0002 [#1]
> CPU:    0
> EIP:    0060:[<c017cd75>]    Not tainted
> EFLAGS: 00010282
> EIP is at sysfs_hash_and_remove+0x15/0x7d
> eax: 00000000   ebx: c03109e4   ecx: 00000068   edx: ccf13dd0
> esi: ccf13d60   edi: c03106e4   ebp: cea5c454   esp: cd0ede54
> ds: 007b   es: 007b   ss: 0068
> Process pccardd (pid: 528, threadinfo=cd0ec000 task=ce1c8740)
> Stack: c017cd55 cd0ede60 c03109e4 ccf13d60 c017e231 ccf13d60 c02c390f ccf13d60 
>        c0310a40 c017e368 ccf13d60 c0310a40 cfc2dc00 cfc2dd90 c023e937 cfc2dd98 
>        c0310a40 cfc2dc00 cd0edeb4 c023b99a cfc2dc00 00000006 cfc2dc00 00000282 
> Call Trace:
>  [<c017cd55>] sysfs_get_dentry+0x65/0x70
>  [<c017e231>] remove_files+0x31/0x40
>  [<c017e368>] sysfs_remove_group+0x28/0x70
>  [<c023e937>] netdev_unregister_sysfs+0x67/0x70
>  [<c023b99a>] netdev_run_todo+0xea/0x1f0
>  [<d086738c>] xircom_remove+0xac/0xd0 [xircom_cb]
>  [<c01a9deb>] pci_device_remove+0x3b/0x40
>  [<c01e9316>] device_release_driver+0x66/0x70
>  [<c01e9455>] bus_remove_device+0x55/0xa0
>  [<c01e81bd>] device_del+0x5d/0xa0
>  [<c01e8213>] device_unregister+0x13/0x30
>  [<c01a740e>] pci_destroy_dev+0x1e/0x70
>  [<c01a752b>] pci_remove_behind_bridge+0x2b/0x40
>  [<c0221b48>] shutdown_socket+0x88/0x120
>  [<c0222263>] socket_remove+0x13/0x50
>  [<c022230a>] socket_detect_change+0x6a/0x90
>  [<c02224c8>] pccardd+0x198/0x220
>  [<c011a980>] default_wake_function+0x0/0x30
>  [<c011a980>] default_wake_function+0x0/0x30
>  [<c0222330>] pccardd+0x0/0x220
>  [<c01092a5>] kernel_thread_helper+0x5/0x10
> 
> Code: ff 48 68 78 63 89 34 24 8b 44 24 18 89 44 24 04 e8 66 ff ff 
>  
> -- 
> /Martin
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
> 

-- 
Maneesh Soni
Linux Technology Center, 
IBM Software Lab, Bangalore, India
email: maneesh@in.ibm.com
Phone: 91-80-5044999 Fax: 91-80-5268553
T/L : 9243696

Re: NULL pointer dereference in sysfs_hash_and_remove()

[Stephen Hemminger]

On Sat, 04 Oct 2003 00:41:32 +0200
Martin Josefsson <gandalf@wlug.westbo.se> wrote:

> Hi
> 
> I compiled 2.6.0-test6 and ran it on a laptop with cardbus.
> I have an Xircom NIC and if I remove it during operation I get the bug
> below.
> 
> I have yenta_socket and xircom_cb loaded as modules.


The driver was setting the statistics pointer after registration had occurred,
so on unregister the network code was removing a non-existent sysfs directory.

Try this please.

diff -Nru a/drivers/net/tulip/xircom_cb.c b/drivers/net/tulip/xircom_cb.c
--- a/drivers/net/tulip/xircom_cb.c	Mon Oct 13 16:29:05 2003
+++ b/drivers/net/tulip/xircom_cb.c	Mon Oct 13 16:29:05 2003
@@ -230,7 +230,8 @@
 	   This way, we can fail gracefully if not enough memory
 	   is available. 
 	 */
-	if ((dev = init_etherdev(NULL, sizeof(struct xircom_private))) == NULL) {
+	dev = alloc_etherdev(sizeof(struct xircom_private));
+	if (!dev) {
 		printk(KERN_ERR "xircom_probe: failed to allocate etherdev\n");
 		goto device_fail;
 	}
@@ -250,7 +251,7 @@
 
 	SET_MODULE_OWNER(dev);
 	SET_NETDEV_DEV(dev, &pdev->dev);
-	printk(KERN_INFO "%s: Xircom cardbus revision %i at irq %i \n", dev->name, chip_rev, pdev->irq);
+
 
 	private->dev = dev;
 	private->pdev = pdev;
@@ -259,7 +260,6 @@
 	dev->irq = pdev->irq;
 	dev->base_addr = private->io_port;
 	
-	
 	initialize_card(private);
 	read_mac_address(private);
 	setup_descriptors(private);
@@ -272,7 +272,12 @@
 	SET_ETHTOOL_OPS(dev, &netdev_ethtool_ops);
 	pci_set_drvdata(pdev, dev);
 
-	
+	if (register_netdev(dev)) {
+		printk(KERN_ERR "xircom_probe: netdevice registration failed.\n");
+		goto reg_fail;
+	}
+		
+	printk(KERN_INFO "%s: Xircom cardbus revision %i at irq %i \n", dev->name, chip_rev, pdev->irq);
 	/* start the transmitter to get a heartbeat */
 	/* TODO: send 2 dummy packets here */
 	transceiver_voodoo(private);
@@ -287,10 +292,12 @@
 	leave("xircom_probe");
 	return 0;
 
+reg_fail:
+	kfree(private->tx_buffer);
 tx_buf_fail:
 	kfree(private->rx_buffer);
 rx_buf_fail:
-	kfree(dev);
+	free_netdev(dev);
 device_fail:
 	return -ENODEV;
 }
@@ -305,22 +312,16 @@
 static void __devexit xircom_remove(struct pci_dev *pdev)
 {
 	struct net_device *dev = pci_get_drvdata(pdev);
-	struct xircom_private *card;
+	struct xircom_private *card = dev->priv;
+
 	enter("xircom_remove");
-	if (dev!=NULL) {
-		card=dev->priv;
-		if (card!=NULL) {	
-			if (card->rx_buffer!=NULL)
-				pci_free_consistent(pdev,8192,card->rx_buffer,card->rx_dma_handle);
-			card->rx_buffer = NULL;
-			if (card->tx_buffer!=NULL)
-				pci_free_consistent(pdev,8192,card->tx_buffer,card->tx_dma_handle);
-			card->tx_buffer = NULL;			
-		}
-	}
+	pci_free_consistent(pdev,8192,card->rx_buffer,card->rx_dma_handle);
+	pci_free_consistent(pdev,8192,card->tx_buffer,card->tx_dma_handle);
+
 	release_region(dev->base_addr, 128);
 	unregister_netdev(dev);
 	free_netdev(dev);
+	pci_set_drvdata(pdev, NULL);
 	leave("xircom_remove");
 } 
 

Re: NULL pointer dereference in sysfs_hash_and_remove()

[Jeff Garzik]

applied to 2.4 and 2.5

Re: NULL pointer dereference in sysfs_hash_and_remove()

[Martin Josefsson]

[-- Attachment #1: Type: text/plain, Size: 733 bytes --]

On Tue, 2003-10-14 at 01:32, Stephen Hemminger wrote:
> On Sat, 04 Oct 2003 00:41:32 +0200
> Martin Josefsson <gandalf@wlug.westbo.se> wrote:
> 
> > Hi
> > 
> > I compiled 2.6.0-test6 and ran it on a laptop with cardbus.
> > I have an Xircom NIC and if I remove it during operation I get the bug
> > below.
> > 
> > I have yenta_socket and xircom_cb loaded as modules.
> 
> 
> The driver was setting the statistics pointer after registration had occurred,
> so on unregister the network code was removing a non-existent sysfs directory.
> 
> Try this please.

I've applied this patch and 
"[PATCH] sysfs -- don't crash if removing non-existant attribute group"
and now it works great.

Thanks.

-- 
/Martin

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]