linux/drivers
Kenji Kaneshige dbd79aed1a pciehp: fix NULL dereference in interrupt handler
Fix the following NULL dereference problem reported from Pierre Ossman
and Ingo Molnar.

pciehp: HPC vendor_id 8086 device_id 27d0 ss_vid 0 ss_did 0
pciehp: pciehp_find_slot: slot (device=0x0) not found
BUG: unable to handle kernel NULL pointer dereference at 0000000000000070
IP: [<ffffffff80494a8b>] pciehp_handle_presence_change+0x7e/0x113
PGD 0
Oops: 0000 [1]
CPU 0
Modules linked in:
Pid: 1, comm: swapper Tainted: G        W 2.6.26-rc3-sched-devel.git-00001-g2b99b26-dirty #170
RIP: 0010:[<ffffffff80494a8b>]  [<ffffffff80494a8b>] pciehp_handle_presence_change+0x7e/0x113
RSP: 0000:ffff81003f83fbb0  EFLAGS: 00010046
RAX: 0000000000000039 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000046
RBP: ffff81003f83fbd0 R08: 0000000000000001 R09: ffffffff80245103
R10: 0000000000000020 R11: 0000000000000000 R12: ffff81003ea53a30
R13: 0000000000000000 R14: 0000000000000011 R15: ffffffff80495926
FS:  0000000000000000(0000) GS:ffffffff80be7400(0000) knlGS:0000000000000000
CS:  0010 DS: 0018 ES: 0018 CR0: 000000008005003b
CR2: 0000000000000070 CR3: 0000000000201000 CR4: 00000000000006a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process swapper (pid: 1, threadinfo ffff81003f83e000, task ffff81003f840000)
Stack:  0000000000000008 ffff81003f83fbf6 ffff81003ea53a30 0000000000000008
 ffff81003f83fc10 ffffffff80495ab4 0000000000000011 0000000000000002
 0000000000000202 0000000000000202 00000000fffffff4 ffff81003ea53a30
Call Trace:
 [<ffffffff80495ab4>] pcie_isr+0x18e/0x1bc
 [<ffffffff80260831>] request_irq+0x106/0x12f
 [<ffffffff80495fb6>] pcie_init+0x15e/0x6cc
 [<ffffffff804933a3>] pciehp_probe+0x64/0x541
 [<ffffffff8048f4e7>] pcie_port_probe_service+0x4c/0x76
 [<ffffffff8054af70>] driver_probe_device+0xd4/0x1f0
 [<ffffffff8054b108>] __driver_attach+0x7c/0x7e
 [<ffffffff8054b08c>] ? __driver_attach+0x0/0x7e
 [<ffffffff8054a4b6>] bus_for_each_dev+0x53/0x7d
 [<ffffffff8054ad3c>] driver_attach+0x1c/0x1e
 [<ffffffff8054a9c2>] bus_add_driver+0xdd/0x25b
 [<ffffffff80c09d3d>] ? pcied_init+0x0/0x8b
 [<ffffffff8054b288>] driver_register+0x5f/0x13e
 [<ffffffff80c09d3d>] ? pcied_init+0x0/0x8b
 [<ffffffff8048f441>] pcie_port_service_register+0x47/0x49
 [<ffffffff80c09d52>] pcied_init+0x15/0x8b
 [<ffffffff80bf3938>] kernel_init+0x75/0x243
 [<ffffffff808639d2>] ? _spin_unlock_irq+0x2b/0x3a
 [<ffffffff80228d1f>] ? finish_task_switch+0x57/0x9a
 [<ffffffff8020c258>] child_rip+0xa/0x12
 [<ffffffff8020bcec>] ? restore_args+0x0/0x30
 [<ffffffff80bf38c3>] ? kernel_init+0x0/0x243
 [<ffffffff8020c24e>] ? child_rip+0x0/0x12

Code: 83 80 00 00 00 48 39 f0 75 e1 0f b6 c9 48 c7 c2 00 0e 8d 80 48 c7 c6 8a 60 a6 80 48 c7 c7 10 db a8 80 31 c0 e8 3f 8d d9 ff 31 db <48> 8b 43 70 48 8d 75 ef 48 89 df ff 50 30 80 7d ef 00 74 37 48
RIP  [<ffffffff80494a8b>] pciehp_handle_presence_change+0x7e/0x113
 RSP <ffff81003f83fbb0>
CR2: 0000000000000070
Kernel panic - not syncing: Fatal exception

The situation under which it occurs is hw and timing related: it appears
to happen on a system that has PCI hotplug hardware but with no active
hotplug cards, and another interrupt in the same (shared) IRQ line
arrives too early, before the hotplug-slot entry has been set up - as
triggered by CONFIG_DEBUG_SHIRQ=y:

This patch contains the following two fixes.

(1) Clear all events bits in Slot Status register to prevent the pciehp
    driver from detecting the spurious events that would have been occur
    before pciehp loading.

(2) Add check whether slot initialization had been already done.

This is short term fix. We need more structural fixes to install
interrupt handler after slot initialization is done.

Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Kenji Kaneshige <kaneshige.kenji@jp.fujitsu.com>
Signed-off-by: Kristen Carlson Accardi <kristen.c.accardi@intel.com>
Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
2008-05-27 15:43:08 -07:00
..
accessibility Kconfig: improved help for CONFIG_ACCESSIBILITY 2008-05-08 10:46:55 -07:00
acorn/char
acpi Fix ACPI vs proc_create_data() mismerge 2008-04-30 16:26:27 -07:00
amba
ata pata_atiixp: Don't disable 2008-05-06 11:43:44 -04:00
atm Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 2008-04-30 08:45:48 -07:00
auxdisplay
base Clean up 'print_fn_descriptor_symbol()' types 2008-05-15 17:50:37 -07:00
block block: avoid duplicate calls to get_part() in disk stat code 2008-05-07 10:15:46 +02:00
bluetooth hci_usb.h: fix hard-to-trigger race 2008-05-02 16:45:10 -07:00
cdrom Merge branch 'for-linus' of git://git.kernel.dk/linux-2.6-block 2008-04-29 08:18:03 -07:00
char tty: fix BKL related leak and crash 2008-05-15 10:19:30 -07:00
clocksource
connector
cpufreq [CPUFREQ] state info wrong after resume 2008-04-28 16:27:08 -04:00
cpuidle
crypto
dca
dio
dma
edac dev_name introduction fall out fix 2008-05-05 15:08:38 -07:00
eisa
firewire Merge git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi-misc-2.6 2008-05-02 13:52:35 -07:00
firmware edd: add default mode CONFIG_EDD_OFF=n, override with edd={on,off} 2008-04-29 08:06:23 -07:00
gpio gpio: pca953x: add support for pca9555 I2C I/O expander 2008-05-01 08:04:01 -07:00
hid hid-core: use get_unaligned_* helpers 2008-04-29 08:06:27 -07:00
hwmon Merge branch 'release' of git://lm-sensors.org/kernel/mhoffman/hwmon-2.6 2008-05-01 08:28:26 -07:00
i2c [MIPS] Alchemy: SMBus resource fix 2008-05-12 16:46:50 +01:00
ide cs5520: disable VDMA 2008-05-14 23:06:16 +02:00
ieee1394 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6 2008-05-01 11:31:38 -07:00
infiniband RDMA/cxgb3: Wrap the software send queue pointer as needed on flush 2008-05-13 11:52:55 -07:00
input Merge git://git.kernel.org/pub/scm/linux/kernel/git/lethal/sh-2.6 2008-05-09 08:07:58 -07:00
isdn isdn: hysdn_procconf.c build fix 2008-05-01 08:03:59 -07:00
leds Remove duplicated unlikely() in IS_ERR() 2008-04-29 08:06:25 -07:00
lguest lguest: make Launcher see device status updates 2008-05-02 21:50:54 +10:00
macintosh [POWERPC] macintosh: Replace deprecated __initcall with device_initcall 2008-05-15 20:50:00 +10:00
mca proc: remove proc_root from drivers 2008-04-29 08:06:18 -07:00
md Remove blkdev warning triggered by using md 2008-05-14 19:11:15 -07:00
media V4L/DVB (7900): pvrusb: Fix Kconfig if DVB=m V4L_core=y 2008-05-14 02:56:47 -03:00
memstick
message Remove duplicated unlikely() in IS_ERR() 2008-04-29 08:06:25 -07:00
mfd drivers: replace remaining __FUNCTION__ occurrences 2008-04-30 08:29:53 -07:00
misc drivers/misc/sgi-xp: replace partid_t with a short 2008-05-13 08:02:23 -07:00
mmc mmc: make one-bit signed bitfields unsigned 2008-05-13 08:02:23 -07:00
mtd mtd: solutionengine flash map depends on solution engine mach group. 2008-05-08 19:51:40 +09:00
net Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 2008-05-14 10:08:24 -07:00
nubus proc: convert /proc/bus/nubus to seq_file interface 2008-04-29 08:06:19 -07:00
of [POWERPC] Add null pointer check to of_find_property 2008-05-15 20:49:49 +10:00
oprofile oprofile: don't request cache line alignment for cpu_buffer 2008-05-14 19:11:12 -07:00
parisc drivers/parisc: replace remaining __FUNCTION__ occurrences 2008-05-15 10:38:54 -04:00
parport debugobjects: add timer specific object debugging code 2008-04-30 08:29:53 -07:00
pci pciehp: fix NULL dereference in interrupt handler 2008-05-27 15:43:08 -07:00
pcmcia pcmcia: replace remaining __FUNCTION__ occurrences 2008-05-01 08:04:00 -07:00
pnp Clean up 'print_fn_descriptor_symbol()' types 2008-05-15 17:50:37 -07:00
power Merge git://git.infradead.org/battery-2.6 2008-05-03 10:57:57 -07:00
ps3 [POWERPC] PS3: Remove unsupported wakeup sources 2008-05-02 15:00:44 +10:00
rapidio [RAPIDIO] Auto-probe the RapidIO system size 2008-04-29 19:40:28 +10:00
rtc rtc: m41t80: include <linux/kernel.h> for printk() 2008-05-13 08:02:26 -07:00
s390 [S390] tape: Use ccw_dev_id to build cdev_id. 2008-05-15 16:52:40 +02:00
sbus sbus: Fix bpp driver build. 2008-05-05 00:33:58 -07:00
scsi Merge git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi-rc-fixes-2.6 2008-05-13 11:24:51 -07:00
serial m68knommu: add info about removing mcfserial 2008-05-14 19:11:12 -07:00
sh
sn
spi mpc5200_psc_spi: typo fix in header block 2008-05-14 19:11:12 -07:00
ssb
tc
telephony
thermal thermal: re-name thermal.c to thermal_sys.c 2008-04-29 03:12:17 -04:00
uio
usb USB: atmel_usba_udc fixes, mostly disconnect() 2008-05-14 10:00:30 -07:00
video video/logo: add support for Blackfin/Linux logo for framebuffer console 2008-05-14 19:11:14 -07:00
virtio virtio: explicit advertisement of driver features 2008-05-02 21:50:50 +10:00
w1 drivers: replace remaining __FUNCTION__ occurrences 2008-04-30 08:29:53 -07:00
watchdog
xen
zorro zorro: use non-racy method for proc entries creation 2008-04-29 08:06:21 -07:00
Kconfig Basic braille screen reader support 2008-04-30 08:29:52 -07:00
Makefile Basic braille screen reader support 2008-04-30 08:29:52 -07:00