aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/pci
diff options
context:
space:
mode:
authorAlex Chiang <achiang@hp.com>2009-05-21 18:21:15 -0400
committerJesse Barnes <jbarnes@virtuousgeek.org>2009-05-27 05:04:24 -0400
commit9d911d7903926a65ef49ec671bacd86bcee5eb51 (patch)
treeb41ef12ea20ae6a040fe1373a958befa07d434db /drivers/pci
parentb3bad72e494fb2ff0c81be4ca2ddb94adf6a47c2 (diff)
PCI Hotplug: acpiphp: don't store a pci_dev in acpiphp_func
An oops can occur if a user attempts to use both PCI logical hotplug and the ACPI physical hotplug driver (acpiphp) in this sequence, where $slot/address == $device. In other words, if acpiphp has claimed a PCI device, and that device is logically removed, then acpiphp may oops when it attempts to access it again. # echo 1 > /sys/bus/pci/devices/$device/remove # echo 0 > /sys/bus/pci/slots/$slot/power Unable to handle kernel NULL pointer dereference (address 0000000000000000) Call Trace: [<a000000100016390>] show_stack+0x50/0xa0 [<a000000100016c60>] show_regs+0x820/0x860 [<a00000010003b390>] die+0x190/0x2a0 [<a000000100066a40>] ia64_do_page_fault+0x8e0/0xa40 [<a00000010000c7a0>] ia64_native_leave_kernel+0x0/0x270 [<a0000001003b2660>] pci_remove_bus_device+0x120/0x260 [<a0000002060549f0>] acpiphp_disable_slot+0x410/0x540 [acpiphp] [<a0000002060505c0>] disable_slot+0xc0/0x120 [acpiphp] [<a0000002040d21c0>] power_write_file+0x1e0/0x2a0 [pci_hotplug] [<a0000001003bb820>] pci_slot_attr_store+0x60/0xa0 [<a000000100240f70>] sysfs_write_file+0x230/0x2c0 [<a000000100195750>] vfs_write+0x190/0x2e0 [<a0000001001961a0>] sys_write+0x80/0x100 [<a00000010000c600>] ia64_ret_from_syscall+0x0/0x20 [<a000000000010720>] __kernel_syscall_via_break+0x0/0x20 The root cause of this oops is that the logical remove ("echo 1 > /sys/bus/pci/devices/$device/remove") destroyed the pci_dev. The pci_dev struct itself wasn't deallocated because acpiphp kept a reference, but some of its fields became invalid. acpiphp doesn't have any real reason to keep a pointer to a pci_dev around. It can always derive it using pci_get_slot(). If a logical remove destroys the pci_dev, acpiphp won't find it and is thus prevented from causing mischief. Reviewed-by: Matthew Wilcox <willy@linux.intel.com> Reviewed-by: Kenji Kaneshige <kaneshige.kenji@jp.fujitsu.com> Tested-by: Kenji Kaneshige <kaneshige.kenji@jp.fujitsu.com> Reported-by: Kenji Kaneshige <kaneshige.kenji@jp.fujitsu.com> Acked-by: Bjorn Helgaas <bjorn.helgaas@hp.com> Signed-off-by: Alex Chiang <achiang@hp.com> Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
Diffstat (limited to 'drivers/pci')
-rw-r--r--drivers/pci/hotplug/acpiphp.h1
-rw-r--r--drivers/pci/hotplug/acpiphp_glue.c63
2 files changed, 26 insertions, 38 deletions
diff --git a/drivers/pci/hotplug/acpiphp.h b/drivers/pci/hotplug/acpiphp.h
index 4fc168b70095..e68d5f20ffb3 100644
--- a/drivers/pci/hotplug/acpiphp.h
+++ b/drivers/pci/hotplug/acpiphp.h
@@ -129,7 +129,6 @@ struct acpiphp_func {
129 struct acpiphp_bridge *bridge; /* Ejectable PCI-to-PCI bridge */ 129 struct acpiphp_bridge *bridge; /* Ejectable PCI-to-PCI bridge */
130 130
131 struct list_head sibling; 131 struct list_head sibling;
132 struct pci_dev *pci_dev;
133 struct notifier_block nb; 132 struct notifier_block nb;
134 acpi_handle handle; 133 acpi_handle handle;
135 134
diff --git a/drivers/pci/hotplug/acpiphp_glue.c b/drivers/pci/hotplug/acpiphp_glue.c
index a33794d9e0dc..3a6064bce561 100644
--- a/drivers/pci/hotplug/acpiphp_glue.c
+++ b/drivers/pci/hotplug/acpiphp_glue.c
@@ -32,9 +32,6 @@
32 32
33/* 33/*
34 * Lifetime rules for pci_dev: 34 * Lifetime rules for pci_dev:
35 * - The one in acpiphp_func has its refcount elevated by pci_get_slot()
36 * when the driver is loaded or when an insertion event occurs. It loses
37 * a refcount when its ejected or the driver unloads.
38 * - The one in acpiphp_bridge has its refcount elevated by pci_get_slot() 35 * - The one in acpiphp_bridge has its refcount elevated by pci_get_slot()
39 * when the bridge is scanned and it loses a refcount when the bridge 36 * when the bridge is scanned and it loses a refcount when the bridge
40 * is removed. 37 * is removed.
@@ -130,6 +127,7 @@ register_slot(acpi_handle handle, u32 lvl, void *context, void **rv)
130 unsigned long long adr, sun; 127 unsigned long long adr, sun;
131 int device, function, retval; 128 int device, function, retval;
132 struct pci_bus *pbus = bridge->pci_bus; 129 struct pci_bus *pbus = bridge->pci_bus;
130 struct pci_dev *pdev;
133 131
134 if (!acpi_pci_check_ejectable(pbus, handle) && !is_dock_device(handle)) 132 if (!acpi_pci_check_ejectable(pbus, handle) && !is_dock_device(handle))
135 return AE_OK; 133 return AE_OK;
@@ -213,10 +211,10 @@ register_slot(acpi_handle handle, u32 lvl, void *context, void **rv)
213 newfunc->slot = slot; 211 newfunc->slot = slot;
214 list_add_tail(&newfunc->sibling, &slot->funcs); 212 list_add_tail(&newfunc->sibling, &slot->funcs);
215 213
216 /* associate corresponding pci_dev */ 214 pdev = pci_get_slot(pbus, PCI_DEVFN(device, function));
217 newfunc->pci_dev = pci_get_slot(pbus, PCI_DEVFN(device, function)); 215 if (pdev) {
218 if (newfunc->pci_dev) {
219 slot->flags |= (SLOT_ENABLED | SLOT_POWEREDON); 216 slot->flags |= (SLOT_ENABLED | SLOT_POWEREDON);
217 pci_dev_put(pdev);
220 } 218 }
221 219
222 if (is_dock_device(handle)) { 220 if (is_dock_device(handle)) {
@@ -617,7 +615,6 @@ static void cleanup_bridge(struct acpiphp_bridge *bridge)
617 if (ACPI_FAILURE(status)) 615 if (ACPI_FAILURE(status))
618 err("failed to remove notify handler\n"); 616 err("failed to remove notify handler\n");
619 } 617 }
620 pci_dev_put(func->pci_dev);
621 list_del(list); 618 list_del(list);
622 kfree(func); 619 kfree(func);
623 } 620 }
@@ -1101,22 +1098,24 @@ static int __ref enable_device(struct acpiphp_slot *slot)
1101 pci_enable_bridges(bus); 1098 pci_enable_bridges(bus);
1102 pci_bus_add_devices(bus); 1099 pci_bus_add_devices(bus);
1103 1100
1104 /* associate pci_dev to our representation */
1105 list_for_each (l, &slot->funcs) { 1101 list_for_each (l, &slot->funcs) {
1106 func = list_entry(l, struct acpiphp_func, sibling); 1102 func = list_entry(l, struct acpiphp_func, sibling);
1107 func->pci_dev = pci_get_slot(bus, PCI_DEVFN(slot->device, 1103 dev = pci_get_slot(bus, PCI_DEVFN(slot->device,
1108 func->function)); 1104 func->function));
1109 if (!func->pci_dev) 1105 if (!dev)
1110 continue; 1106 continue;
1111 1107
1112 if (func->pci_dev->hdr_type != PCI_HEADER_TYPE_BRIDGE && 1108 if (dev->hdr_type != PCI_HEADER_TYPE_BRIDGE &&
1113 func->pci_dev->hdr_type != PCI_HEADER_TYPE_CARDBUS) 1109 dev->hdr_type != PCI_HEADER_TYPE_CARDBUS) {
1110 pci_dev_put(dev);
1114 continue; 1111 continue;
1112 }
1115 1113
1116 status = find_p2p_bridge(func->handle, (u32)1, bus, NULL); 1114 status = find_p2p_bridge(func->handle, (u32)1, bus, NULL);
1117 if (ACPI_FAILURE(status)) 1115 if (ACPI_FAILURE(status))
1118 warn("find_p2p_bridge failed (error code = 0x%x)\n", 1116 warn("find_p2p_bridge failed (error code = 0x%x)\n",
1119 status); 1117 status);
1118 pci_dev_put(dev);
1120 } 1119 }
1121 1120
1122 slot->flags |= SLOT_ENABLED; 1121 slot->flags |= SLOT_ENABLED;
@@ -1142,17 +1141,14 @@ static void disable_bridges(struct pci_bus *bus)
1142 */ 1141 */
1143static int disable_device(struct acpiphp_slot *slot) 1142static int disable_device(struct acpiphp_slot *slot)
1144{ 1143{
1145 int retval = 0;
1146 struct acpiphp_func *func; 1144 struct acpiphp_func *func;
1147 struct list_head *l; 1145 struct pci_dev *pdev;
1148 1146
1149 /* is this slot already disabled? */ 1147 /* is this slot already disabled? */
1150 if (!(slot->flags & SLOT_ENABLED)) 1148 if (!(slot->flags & SLOT_ENABLED))
1151 goto err_exit; 1149 goto err_exit;
1152 1150
1153 list_for_each (l, &slot->funcs) { 1151 list_for_each_entry(func, &slot->funcs, sibling) {
1154 func = list_entry(l, struct acpiphp_func, sibling);
1155
1156 if (func->bridge) { 1152 if (func->bridge) {
1157 /* cleanup p2p bridges under this P2P bridge */ 1153 /* cleanup p2p bridges under this P2P bridge */
1158 cleanup_p2p_bridge(func->bridge->handle, 1154 cleanup_p2p_bridge(func->bridge->handle,
@@ -1160,35 +1156,28 @@ static int disable_device(struct acpiphp_slot *slot)
1160 func->bridge = NULL; 1156 func->bridge = NULL;
1161 } 1157 }
1162 1158
1163 if (func->pci_dev) { 1159 pdev = pci_get_slot(slot->bridge->pci_bus,
1164 pci_stop_bus_device(func->pci_dev); 1160 PCI_DEVFN(slot->device, func->function));
1165 if (func->pci_dev->subordinate) { 1161 if (pdev) {
1166 disable_bridges(func->pci_dev->subordinate); 1162 pci_stop_bus_device(pdev);
1167 pci_disable_device(func->pci_dev); 1163 if (pdev->subordinate) {
1164 disable_bridges(pdev->subordinate);
1165 pci_disable_device(pdev);
1168 } 1166 }
1167 pci_remove_bus_device(pdev);
1168 pci_dev_put(pdev);
1169 } 1169 }
1170 } 1170 }
1171 1171
1172 list_for_each (l, &slot->funcs) { 1172 list_for_each_entry(func, &slot->funcs, sibling) {
1173 func = list_entry(l, struct acpiphp_func, sibling);
1174
1175 acpiphp_unconfigure_ioapics(func->handle); 1173 acpiphp_unconfigure_ioapics(func->handle);
1176 acpiphp_bus_trim(func->handle); 1174 acpiphp_bus_trim(func->handle);
1177 /* try to remove anyway.
1178 * acpiphp_bus_add might have been failed */
1179
1180 if (!func->pci_dev)
1181 continue;
1182
1183 pci_remove_bus_device(func->pci_dev);
1184 pci_dev_put(func->pci_dev);
1185 func->pci_dev = NULL;
1186 } 1175 }
1187 1176
1188 slot->flags &= (~SLOT_ENABLED); 1177 slot->flags &= (~SLOT_ENABLED);
1189 1178
1190 err_exit: 1179err_exit:
1191 return retval; 1180 return 0;
1192} 1181}
1193 1182
1194 1183
generated by cgit v1.2.2 (git 2.25.0) at 2024-12-27 23:48:17 -0500