[PATCH net] r8169: fix setting driver_data after register_netdev

[PATCH net] r8169: fix setting driver_data after register_netdev

[Heiner Kallweit]

pci_set_drvdata() is called only after registering the net_device,
therefore we could run into a NPE if one of the functions using
driver_data is called before it's set.

Fix this by calling pci_set_drvdata() before registering the
net_device.

This fix is a candidate for stable. As far as I can see the
bug has been there in kernel version 3.2 already, therefore
I can't provide a reference which commit is fixed by it.

The fix may need small adjustments per kernel version because
due to other changes the label which is jumped to if
register_netdev() fails has changed over time.

Reported-by: David Miller <davem@davemloft.net>
Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
---
 drivers/net/ethernet/realtek/r8169.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/realtek/r8169.c b/drivers/net/ethernet/realtek/r8169.c
index 630409e0..604ae783 100644
--- a/drivers/net/ethernet/realtek/r8169.c
+++ b/drivers/net/ethernet/realtek/r8169.c
@@ -8378,12 +8378,12 @@ static int rtl_init_one(struct pci_dev *pdev, const struct pci_device_id *ent)
 	if (!tp->counters)
 		return -ENOMEM;
 
+	pci_set_drvdata(pdev, dev);
+
 	rc = register_netdev(dev);
 	if (rc < 0)
 		return rc;
 
-	pci_set_drvdata(pdev, dev);
-
 	netif_info(tp, probe, dev, "%s at 0x%p, %pM, XID %08x IRQ %d\n",
 		   rtl_chip_infos[chipset].name, tp->mmio_addr, dev->dev_addr,
 		   (u32)(RTL_R32(tp, TxConfig) & 0x9cf0f8ff),
-- 
2.16.2

Re: [PATCH net] r8169: fix setting driver_data after register_netdev

[Francois Romieu]

Heiner Kallweit <hkallweit1@gmail.com> :
> pci_set_drvdata() is called only after registering the net_device,
> therefore we could run into a NPE if one of the functions using
> driver_data is called before it's set.
> 
> Fix this by calling pci_set_drvdata() before registering the
> net_device.
> 
> This fix is a candidate for stable. As far as I can see the
> bug has been there in kernel version 3.2 already, therefore
> I can't provide a reference which commit is fixed by it.

It does not sound convincing.

Please tell which functions are supposed to crash.

Suspend / resume ones ? Anything else ?

-- 
Ueimor

Re: [PATCH net] r8169: fix setting driver_data after register_netdev

[Andrew Lunn]

On Mon, Mar 26, 2018 at 01:07:00AM +0200, Francois Romieu wrote:
> Heiner Kallweit <hkallweit1@gmail.com> :
> > pci_set_drvdata() is called only after registering the net_device,
> > therefore we could run into a NPE if one of the functions using
> > driver_data is called before it's set.
> > 
> > Fix this by calling pci_set_drvdata() before registering the
> > net_device.
> > 
> > This fix is a candidate for stable. As far as I can see the
> > bug has been there in kernel version 3.2 already, therefore
> > I can't provide a reference which commit is fixed by it.
> 
> It does not sound convincing.
> 
> Please tell which functions are supposed to crash.

How about rtl8169_get_wol() and rtl8169_set_wol(). And
rtl8169_get_ethtool_stats().  Basically anything which makes use of
run time power management could be invoked as soon as parts of
register_netdev() have been called.

	  Andrew

Re: [PATCH net] r8169: fix setting driver_data after register_netdev

[David Miller]

From: Heiner Kallweit <hkallweit1@gmail.com>
Date: Mon, 26 Mar 2018 00:32:42 +0200

> pci_set_drvdata() is called only after registering the net_device,
> therefore we could run into a NPE if one of the functions using
> driver_data is called before it's set.
> 
> Fix this by calling pci_set_drvdata() before registering the
> net_device.
> 
> This fix is a candidate for stable. As far as I can see the
> bug has been there in kernel version 3.2 already, therefore
> I can't provide a reference which commit is fixed by it.
> 
> The fix may need small adjustments per kernel version because
> due to other changes the label which is jumped to if
> register_netdev() fails has changed over time.
> 
> Reported-by: David Miller <davem@davemloft.net>
> Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>

I agree with the fix (well, I better, I suggested it :-)

But this doesn't apply cleanly to the net tree, please respin.

Thank you.

Re: [PATCH net] r8169: fix setting driver_data after register_netdev

[Francois Romieu]

Andrew Lunn <andrew@lunn.ch> :
[...]
> How about rtl8169_get_wol() and rtl8169_set_wol(). And
> rtl8169_get_ethtool_stats().

rtl8169_get_wol does not depend on dev->driver_data. Neither does
rtl8169_set_wol() nor rtl8169_get_ethtool_stats().

> Basically anything which makes use of run time power management
> could be invoked as soon as parts of register_netdev() have been
> called.

Ok, it can crash through rtl_open and check_link_status.

If rtl_open can be called that early, rtl_init_one::rtl8168_driver_start()
may also be executed a bit late.

-- 
Ueimor

Re: [PATCH net] r8169: fix setting driver_data after register_netdev

[Andrew Lunn]

On Tue, Mar 27, 2018 at 12:18:40AM +0200, Francois Romieu wrote:
> Andrew Lunn <andrew@lunn.ch> :
> [...]
> > How about rtl8169_get_wol() and rtl8169_set_wol(). And
> > rtl8169_get_ethtool_stats().
> 
> rtl8169_get_wol does not depend on dev->driver_data. Neither does
> rtl8169_set_wol() nor rtl8169_get_ethtool_stats().

I don't know runtime pm very well, but these functions call
pm_runtime_get_noresume and pm_runtime_put_noidle. If they can result
in calls to any of the rtl8169_runtime_* functions, pci_get_drvdata()
is going to get called.

   Andrew