r8152: Trying to fix NULL pointer dereference in r8152_poll

From e71a776c8c66916f84b9054add9b53baebf68fef Mon Sep 17 00:00:00 2001
From: Petr Vorel <petr.vorel@gmail.com>
Date: Mon, 13 Mar 2017 12:48:08 +0100
Subject: [PATCH 1/1] r8152: Fix NULL pointer dereference in r8152_poll

commit 7489bdadb7d1 (r8152: check rx after napi is enabled) causes null
pointer dereference when using device as under root:

 # rmmod r8152 # or lsusb -v
NOHZ: local_softirq_pending 08
BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
IP: r8152_poll+0x125/0x570 [r8152]
PGD 89b4cf067
PUD 898ff2067
PMD 0
Oops: 0002 [#1] PREEMPT SMP

Fixes: 7489bdadb7d1 ("r8152: check rx after napi is enabled")

Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
Reviewed-by: Eric Dumazet <eric.dumazet@gmail.com>
---
 drivers/net/usb/r8152.c | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
index 986243c932cc..4b3285e0e777 100644
--- a/drivers/net/usb/r8152.c
+++ b/drivers/net/usb/r8152.c
@@ -1180,7 +1180,9 @@ static void read_bulk_callback(struct urb *urb)
        spin_lock(&tp->rx_lock);
        list_add_tail(&agg->list, &tp->rx_done);
        spin_unlock(&tp->rx_lock);
+       local_bh_disable();
        napi_schedule(&tp->napi);
+       local_bh_enable();
        return;
    case -ESHUTDOWN:
        set_bit(RTL8152_UNPLUG, &tp->flags);
@@ -1243,8 +1245,10 @@ static void write_bulk_callback(struct urb *urb)
    if (test_bit(RTL8152_UNPLUG, &tp->flags))
        return;

+   local_bh_disable();
    if (!skb_queue_empty(&tp->tx_queue))
        napi_schedule(&tp->napi);
+   local_bh_enable();
 }

 static void intr_callback(struct urb *urb)
@@ -1933,12 +1937,14 @@ static int r8152_poll(struct napi_struct *napi, int budget)
    bottom_half(tp);

    if (work_done < budget) {
+       local_bh_disable();
        napi_complete(napi);
        if (!list_empty(&tp->rx_done))
            napi_schedule(napi);
        else if (!skb_queue_empty(&tp->tx_queue) &&
             !list_empty(&tp->tx_free))
            napi_schedule(napi);
+       local_bh_enable();
    }

    return work_done;
@@ -1974,7 +1980,9 @@ int r8152_submit_rx(struct r8152 *tp, struct rx_agg *agg, gfp_t mem_flags)
        netif_err(tp, rx_err, tp->netdev,
              "Couldn't submit rx[%p], ret = %d\n", agg, ret);

+       local_bh_disable();
        napi_schedule(&tp->napi);
+       local_bh_enable();
    }

    return ret;
@@ -2095,7 +2103,9 @@ static netdev_tx_t rtl8152_start_xmit(struct sk_buff *skb,
            schedule_delayed_work(&tp->schedule, 0);
        } else {
            usb_mark_last_busy(tp->udev);
+           local_bh_disable();
            napi_schedule(&tp->napi);
+           local_bh_enable();
        }
    } else if (skb_queue_len(&tp->tx_queue) > tp->tx_qlen) {
        netif_stop_queue(netdev);
@@ -3206,8 +3216,11 @@ static void rtl_work_func_t(struct work_struct *work)

    /* don't schedule napi before linking */
    if (test_and_clear_bit(SCHEDULE_NAPI, &tp->flags) &&
-       netif_carrier_ok(tp->netdev))
+       netif_carrier_ok(tp->netdev)) {
+       local_bh_disable();
        napi_schedule(&tp->napi);
+       local_bh_enable();
+   }

    mutex_unlock(&tp->control);

@@ -3561,8 +3574,10 @@ static int rtl8152_post_reset(struct usb_interface *intf)
    netif_wake_queue(netdev);
    usb_submit_urb(tp->intr_urb, GFP_KERNEL);

+   local_bh_disable();
    if (!list_empty(&tp->rx_done))
        napi_schedule(&tp->napi);
+   local_bh_enable();

    return 0;
 }
@@ -3703,8 +3718,11 @@ static int rtl8152_resume(struct usb_interface *intf)
            napi_enable(&tp->napi);
            clear_bit(SELECTIVE_SUSPEND, &tp->flags);
            smp_mb__after_atomic();
+
+           local_bh_disable();
            if (!list_empty(&tp->rx_done))
                napi_schedule(&tp->napi);
+           local_bh_enable();
        } else {
            tp->rtl_ops.up(tp);
            netif_carrier_off(tp->netdev);
--
2.12.0