From 8cc2bfd87fdd2f4a31f39c86f59df4b4be2c0adc Mon Sep 17 00:00:00 2001 From: Kenji Kaneshige Date: Wed, 23 Jun 2010 16:04:10 +0900 Subject: PCI: kernel oops on access to pci proc file while hot-removal I encountered the problem that /proc/bus/pci/XX/YY is not removed even after the corresponding device is hot-removed, if the file is still being opened. In addtion, accessing this file in this situation causes kernel panic (see below). Becasue the pci_proc_detach_device() doesn't call remove_proc_entry() if struct proc_dir_entry->count > 1, access to /proc/bus/pci/XX/YY would refer to struct pci_dev that was already freed. Though I don't know why the check for proc_dir_entry->count was added, I don't think it is needed. Removing this check fixes the problem. Steps to reproduce ------------------ # cd /sys/bus/pci/slots/2/ # PROC_BUS_PCI_FILE=/proc/bus/pci/`awk -F: '{print $2"/"$3}' < address`.0 # sleep 10000 < $PROC_BUS_PCI_FILE & # echo 0 > power # while true; do cat $PROC_BUS_PCI_FILE > /dev/null; done Oops Messages ------------- BUG: unable to handle kernel NULL pointer dereference at 00000042 IP: [] pci_user_read_config_dword+0x65/0xa0 *pdpt = 000000002185e001 *pde = 0000000476a79067 Oops: 0000 [#1] SMP last sysfs file: /sys/devices/pci0000:00/0000:00:1c.0/0000:10:00.0/local_cpus Modules linked in: autofs4 sunrpc cpufreq_ondemand acpi_cpufreq ipv6 dm_mirror dm_region_hash dm_log dm_mod e1000e i2c_i801 i2c_core iTCO_wdt igb sg pcspkr dca iTCO_vendor_support ext4 mbcache jbd2 sd_mod crc_t10dif lpfc mptsas scsi_transport_fc mptscsih mptbase scsi_tgt scsi_transport_sas [last unloaded: microcode] Pid: 2997, comm: cat Not tainted 2.6.34-kk #32 SB/PRIMEQUEST 1800E EIP: 0060:[] EFLAGS: 00010046 CPU: 19 EIP is at pci_user_read_config_dword+0x65/0xa0 EAX: 00000002 EBX: e44f1800 ECX: e144df14 EDX: 155668c7 ESI: 00000087 EDI: 00000000 EBP: e144df40 ESP: e144df0c DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 Process cat (pid: 2997, ti=e144c000 task=e26f2570 task.ti=e144c000) Stack: c09ceac0 c0570f72 ffffffff 08c57000 00000000 00001000 e44f1800 c05d2404 <0> e144df40 00001000 00000000 00001000 08c57000 3093ae50 e420cb40 e358d5c0 <0> c05d2300 fffffffb c054984f e144df9c 00008000 08c57000 e358d5c0 00008000 Call Trace: [] ? security_capable+0x22/0x30 [] ? proc_bus_pci_read+0x104/0x220 [] ? proc_bus_pci_read+0x0/0x220 [] ? proc_reg_read+0x5f/0x90 [] ? proc_reg_read+0x0/0x90 [] ? vfs_read+0x9d/0x190 [] ? audit_syscall_entry+0x204/0x230 [] ? sys_read+0x41/0x70 [] ? sysenter_do_call+0x12/0x28 Code: b4 26 00 00 00 00 b8 20 88 b1 c0 c7 44 24 08 ff ff ff ff e8 3e 52 22 00 f6 83 24 04 00 00 20 75 34 8b 43 08 8d 4c 24 08 8b 53 1c <8b> 70 40 89 4c 24 04 89 f9 c7 04 24 04 00 00 00 ff 16 89 c6 f0 EIP: [] pci_user_read_config_dword+0x65/0xa0 SS:ESP 0068:e144df0c CR2: 0000000000000042 Acked-by: Greg Kroah-Hartman Signed-off-by: Kenji Kaneshige Signed-off-by: Jesse Barnes --- drivers/pci/proc.c | 2 -- 1 file changed, 2 deletions(-) (limited to 'drivers/pci/proc.c') diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c index 449e890267a..68316b59d7d 100644 --- a/drivers/pci/proc.c +++ b/drivers/pci/proc.c @@ -431,8 +431,6 @@ int pci_proc_detach_device(struct pci_dev *dev) struct proc_dir_entry *e; if ((e = dev->procent)) { - if (atomic_read(&e->count) > 1) - return -EBUSY; remove_proc_entry(e->name, dev->bus->procdir); dev->procent = NULL; } -- cgit v1.2.3-70-g09d2 From 4e344b1cc53989e8ecc1140e9346f657d7c8aa9e Mon Sep 17 00:00:00 2001 From: Kulikov Vasiliy Date: Sat, 3 Jul 2010 20:04:39 +0400 Subject: PCI: use for_each_pci_dev() Use for_each_pci_dev() to simplify the code. Signed-off-by: Kulikov Vasiliy Signed-off-by: Jesse Barnes --- drivers/pci/hotplug/fakephp.c | 2 +- drivers/pci/proc.c | 4 ++-- drivers/pci/quirks.c | 2 +- drivers/pci/search.c | 2 +- drivers/pci/setup-irq.c | 3 +-- 5 files changed, 6 insertions(+), 7 deletions(-) (limited to 'drivers/pci/proc.c') diff --git a/drivers/pci/hotplug/fakephp.c b/drivers/pci/hotplug/fakephp.c index 5317e4d7d96..17d10e2e8fb 100644 --- a/drivers/pci/hotplug/fakephp.c +++ b/drivers/pci/hotplug/fakephp.c @@ -135,7 +135,7 @@ static int __init init_legacy(void) struct pci_dev *pdev = NULL; /* Add existing devices */ - while ((pdev = pci_get_device(PCI_ANY_ID, PCI_ANY_ID, pdev))) + for_each_pci_dev(pdev) legacy_add_slot(pdev); /* Be alerted of any new ones */ diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c index 68316b59d7d..01f0306525a 100644 --- a/drivers/pci/proc.c +++ b/drivers/pci/proc.c @@ -483,9 +483,9 @@ static int __init pci_proc_init(void) proc_create("devices", 0, proc_bus_pci_dir, &proc_bus_pci_dev_operations); proc_initialized = 1; - while ((dev = pci_get_device(PCI_ANY_ID, PCI_ANY_ID, dev)) != NULL) { + for_each_pci_dev(dev) pci_proc_attach_device(dev); - } + return 0; } diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c index 202efa6f57c..8141f442e3d 100644 --- a/drivers/pci/quirks.c +++ b/drivers/pci/quirks.c @@ -2773,7 +2773,7 @@ static int __init pci_apply_final_quirks(void) printk(KERN_DEBUG "PCI: CLS %u bytes\n", pci_cache_line_size << 2); - while ((dev = pci_get_device(PCI_ANY_ID, PCI_ANY_ID, dev)) != NULL) { + for_each_pci_dev(dev) { pci_fixup_device(pci_fixup_final, dev); /* * If arch hasn't set it explicitly yet, use the CLS diff --git a/drivers/pci/search.c b/drivers/pci/search.c index 20d03f77228..9d75dc8ca60 100644 --- a/drivers/pci/search.c +++ b/drivers/pci/search.c @@ -169,7 +169,7 @@ struct pci_dev *pci_get_domain_bus_and_slot(int domain, unsigned int bus, { struct pci_dev *dev = NULL; - while ((dev = pci_get_device(PCI_ANY_ID, PCI_ANY_ID, dev)) != NULL) { + for_each_pci_dev(dev) { if (pci_domain_nr(dev->bus) == domain && (dev->bus->number == bus && dev->devfn == devfn)) return dev; diff --git a/drivers/pci/setup-irq.c b/drivers/pci/setup-irq.c index aa795fd428d..eec9738f349 100644 --- a/drivers/pci/setup-irq.c +++ b/drivers/pci/setup-irq.c @@ -59,7 +59,6 @@ pci_fixup_irqs(u8 (*swizzle)(struct pci_dev *, u8 *), int (*map_irq)(struct pci_dev *, u8, u8)) { struct pci_dev *dev = NULL; - while ((dev = pci_get_device(PCI_ANY_ID, PCI_ANY_ID, dev)) != NULL) { + for_each_pci_dev(dev) pdev_fixup_irq(dev, swizzle, map_irq); - } } -- cgit v1.2.3-70-g09d2