2006-05-26 06:39:23

by Yanmin Zhang

[permalink] [raw]
Subject: pci_walk_bus race condition

pci_walk_bus has a race with pci_destroy_dev. In the while loop,
when the callback function is called, dev pointed by next might be
freed and erased. So later on access to dev might cause kernel panic.

Yanmin


2006-05-26 13:57:21

by Greg KH

[permalink] [raw]
Subject: Re: pci_walk_bus race condition

On Fri, May 26, 2006 at 02:35:16PM +0800, Zhang, Yanmin wrote:
> pci_walk_bus has a race with pci_destroy_dev. In the while loop,
> when the callback function is called, dev pointed by next might be
> freed and erased. So later on access to dev might cause kernel panic.

Have you seen this happen? The only user of this function is the PPC64
EEH handler, which last time I checked, didn't run on Intel based
processors :)

thanks,

greg k-h

2006-05-29 00:45:32

by Yanmin Zhang

[permalink] [raw]
Subject: Re: pci_walk_bus race condition

On Fri, 2006-05-26 at 21:50, Greg KH wrote:
> On Fri, May 26, 2006 at 02:35:16PM +0800, Zhang, Yanmin wrote:
> > pci_walk_bus has a race with pci_destroy_dev. In the while loop,
> > when the callback function is called, dev pointed by next might be
> > freed and erased. So later on access to dev might cause kernel panic.
>
> Have you seen this happen? The only user of this function is the PPC64
> EEH handler, which last time I checked, didn't run on Intel based
> processors :)
I am enabling PCI-Express AER in kernel and want to use it. After
double-checking, I found the lock is not good.

Thanks,
Yanmin

2006-05-29 08:09:55

by Yanmin Zhang

[permalink] [raw]
Subject: Re: pci_walk_bus race condition

On Mon, 2006-05-29 at 08:41, Zhang, Yanmin wrote:
> On Fri, 2006-05-26 at 21:50, Greg KH wrote:
> > On Fri, May 26, 2006 at 02:35:16PM +0800, Zhang, Yanmin wrote:
> > > pci_walk_bus has a race with pci_destroy_dev. In the while loop,
> > > when the callback function is called, dev pointed by next might be
> > > freed and erased. So later on access to dev might cause kernel panic.
> >
> > Have you seen this happen? The only user of this function is the PPC64
> > EEH handler, which last time I checked, didn't run on Intel based
> > processors :)
> I am enabling PCI-Express AER in kernel and want to use it. After
> double-checking, I found the lock is not good.
How about changing pci_bus_lock to a sema? I think it's the thorough
approach. As the write lock is used only when initializing and uninitializing,
the performance won't be hurted severely.

Thanks,
Yanmin