2008-10-17 00:25:24

by Kenji Kaneshige

[permalink] [raw]
Subject: [BUG][PATCH] cpqphp: fix kernel NULL pointer dereference

Hi,

The following patch fixes the regression in 2.6.27 that causes
kernel NULL pointer dereference at cpqphp driver probe time.
This patch should be backported to the .27 stable series.

Thanks,
Kenji Kaneshige


Fix the following kernel panic problem reported by Ingo Molnar. This
seems to be introduced by f46753c5e354b857b20ab8e0fe7b2579831dc369.

> [ 10.212026] pci_hotplug: PCI Hot Plug PCI Core version: 0.5
> [ 10.220030] initcall pci_hotplug_init+0x0/0x60 returned 0 after 7812
> usecs [ 10.224030] calling cpqhpc_init+0x0/0x70 @ 1
> [ 10.228026] cpqphp: Compaq Hot Plug PCI Controller Driver version: 0.9.8
> [ 10.236101] bus: 'pci': add driver compaq_pci_hotplug
> [ 10.240123] bus: 'pci': driver_probe_device: matched device 0000:00:0b.0
> with driver compaq_pci_hotplug [ 10.252026] bus: 'pci': really_probe:
> probing driver compaq_pci_hotplug with device 0000:00:0b.0 [ 10.260156]
> compaq_pci_hotplug 0000:00:0b.0: PCI INT A -> GSI 26 (level, low) -> IRQ 26
> [ 10.268064] cpqphp: Hot Plug Subsystem Device ID: a2f8
> [ 10.276033] cpqphp: Initializing the PCI hot plug controller residing on
> PCI bus 0 [ 10.280073] PCI: Using BIOS Interrupt Routing Table
> [ 10.289396] PCI: Using BIOS Interrupt Routing Table
> [ 10.294181] BUG: unable to handle kernel NULL pointer dereference at
> 00000020 [ 10.302497] IP: [<c04ce708>] pci_create_slot+0x28/0x170
> [ 10.308022] *pde = 00000000
> [ 10.311199] Oops: 0000 [#1] SMP DEBUG_PAGEALLOC
> [ 10.312000] Dumping ftrace buffer:
> [ 10.312000] (ftrace buffer empty)
> [ 10.312000]
> [ 10.312000] Pid: 1, comm: swapper Not tainted
> (2.6.27-tip-03538-g2075f6f-dirty #2) ProLiant [ 10.312000] EIP:
> 0060:[<c04ce708>] EFLAGS: 00010213 CPU: 1
> [ 10.312000] EIP is at pci_create_slot+0x28/0x170
> [ 10.312000] EAX: 00000246 EBX: 00000001 ECX: 03eb1000 EDX: c0f1396c
> [ 10.312000] ESI: 00000001 EDI: 00000000 EBP: f705bcac ESP: f705bc80
> [ 10.312000] DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
> [ 10.312000] Process swapper (pid: 1, ti=f705a000 task=f7060000
> task.ti=f705a000) [ 10.312000] Stack:
> [ 10.312000] f705bc8c c04bf996 c0f13ae0 f705bc98 c0b296e2 c0f13b00
> f5a97040 c04d1cbb [ 10.312000] 00000001 00000000 ffffffef f705bcd4
> c04d2194 c04d61fd f620caf0 f6057e60 [ 10.312000] f6069a10 f6057e60
> 00000001 00000000 f6069a10 f705bdbc c04d6439 f5a97040 [ 10.312000] Call
> Trace:
> [ 10.312000] [<c04bf996>] ? _raw_spin_unlock+0x46/0x80
> [ 10.312000] [<c0b296e2>] ? _spin_unlock+0x22/0x30
> [ 10.312000] [<c04d1cbb>] ? get_slot_from_name+0x5b/0x70
> [ 10.312000] [<c04d2194>] ? pci_hp_register+0x74/0x330
> [ 10.312000] [<c04d61fd>] ? cpqhpc_probe+0x112d/0x1b90
> [ 10.312000] [<c04d6439>] ? cpqhpc_probe+0x1369/0x1b90
> [ 10.312000] [<c04ce859>] ? pci_match_id+0x9/0x90
> [ 10.312000] [<c04ceb1e>] ? pci_device_probe+0x5e/0x80
> [ 10.312000] [<c056bee0>] ? driver_probe_device+0xe0/0x1f0
> [ 10.312000] [<c056c06a>] ? __driver_attach+0x7a/0x80
> [ 10.312000] [<c056b459>] ? bus_for_each_dev+0x49/0x70
> [ 10.312000] [<c056bc6e>] ? driver_attach+0x1e/0x20
> [ 10.312000] [<c056bff0>] ? __driver_attach+0x0/0x80
> [ 10.312000] [<c056ba13>] ? bus_add_driver+0x1c3/0x240
> [ 10.312000] [<c04cea60>] ? pci_device_remove+0x0/0x40
> [ 10.312000] [<c056c224>] ? driver_register+0x54/0x130
> [ 10.312000] [<c04bfa62>] ? __spin_lock_init+0x32/0x60
> [ 10.312000] [<c0ffb1f0>] ? cpqhpc_init+0x0/0x70
> [ 10.312000] [<c04ced53>] ? __pci_register_driver+0x63/0xa0
> [ 10.312000] [<c0ffb1f0>] ? cpqhpc_init+0x0/0x70
> [ 10.312000] [<c0ffb22b>] ? cpqhpc_init+0x3b/0x70
> [ 10.312000] [<c0ffb1f0>] ? cpqhpc_init+0x0/0x70
> [ 10.312000] [<c0101032>] ? _stext+0x32/0x170
> [ 10.312000] [<c0ffb1f0>] ? cpqhpc_init+0x0/0x70
> [ 10.312000] [<c0109bf5>] ? native_sched_clock+0xd5/0x110
> [ 10.312000] [<c015acac>] ? lock_release_holdtime+0x7c/0xb0
> [ 10.312000] [<c04bf996>] ? _raw_spin_unlock+0x46/0x80
> [ 10.312000] [<c0b296e2>] ? _spin_unlock+0x22/0x30
> [ 10.312000] [<c01efe17>] ? proc_register+0x107/0x1c0
> [ 10.312000] [<c01efcb9>] ? __proc_create+0xe9/0x100
> [ 10.312000] [<c0176994>] ? register_irq_proc+0x14/0xd0
> [ 10.312000] [<c0fdb68d>] ? kernel_init+0x10d/0x170
> [ 10.312000] [<c0fdb580>] ? kernel_init+0x0/0x170
> [ 10.312000] [<c0104c3b>] ? kernel_thread_helper+0x7/0x10
> [ 10.312000] Code: 5b 5d c3 55 89 e5 57 56 53 83 ec 20 e8 56 65 c3 ff 89
> d6 89 c7 b8 40 39 f1 c0 89 4d ec e8 91 9f 65 00 83 fe ff 0f 84 7e 00 00 00
> <8b> 5f 20 83 eb 04 8b 53 04 0f 18 02 90 8d 4f 20 8d 43 04 39 c8 [
> 10.312000] EIP: [<c04ce708>] pci_create_slot+0x28/0x170 SS:ESP
>

The root cause of this problem seems that cpqphp driver calls
pci_hp_register() wrongly. In current implementation, cpqphp driver
passes 'ctrl->pci_dev->subordinate' as a second parameter for
pci_hp_register(). But because hotplug slots and it's hotplug
controller (exists as a pci funcion) are on the same bus, it should be
'ctrl->pci_dev->bus' instead.

Cc: <[email protected]>
Tested-by: Ingo Molnar <[email protected]>
Signed-off-by: Kenji Kaneshige <[email protected]>

---
drivers/pci/hotplug/cpqphp_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

Index: linux-2.6-tip/drivers/pci/hotplug/cpqphp_core.c
===================================================================
--- linux-2.6-tip.orig/drivers/pci/hotplug/cpqphp_core.c
+++ linux-2.6-tip/drivers/pci/hotplug/cpqphp_core.c
@@ -435,7 +435,7 @@ static int ctrl_slot_setup(struct contro
slot->number, ctrl->slot_device_offset,
slot_number);
result = pci_hp_register(hotplug_slot,
- ctrl->pci_dev->subordinate,
+ ctrl->pci_dev->bus,
slot->device);
if (result) {
err("pci_hp_register failed with error %d\n", result);


2008-10-17 00:34:47

by Alex Chiang

[permalink] [raw]
Subject: Re: [BUG][PATCH] cpqphp: fix kernel NULL pointer dereference

* Kenji Kaneshige <[email protected]>:
>
> The root cause of this problem seems that cpqphp driver calls
> pci_hp_register() wrongly. In current implementation, cpqphp driver
> passes 'ctrl->pci_dev->subordinate' as a second parameter for
> pci_hp_register(). But because hotplug slots and it's hotplug
> controller (exists as a pci funcion) are on the same bus, it should be
> 'ctrl->pci_dev->bus' instead.
>
> Cc: <[email protected]>

Acked-by: Alex Chiang <[email protected]>

> Tested-by: Ingo Molnar <[email protected]>
> Signed-off-by: Kenji Kaneshige <[email protected]>
>
> ---
> drivers/pci/hotplug/cpqphp_core.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> Index: linux-2.6-tip/drivers/pci/hotplug/cpqphp_core.c
> ===================================================================
> --- linux-2.6-tip.orig/drivers/pci/hotplug/cpqphp_core.c
> +++ linux-2.6-tip/drivers/pci/hotplug/cpqphp_core.c
> @@ -435,7 +435,7 @@ static int ctrl_slot_setup(struct contro
> slot->number, ctrl->slot_device_offset,
> slot_number);
> result = pci_hp_register(hotplug_slot,
> - ctrl->pci_dev->subordinate,
> + ctrl->pci_dev->bus,
> slot->device);
> if (result) {
> err("pci_hp_register failed with error %d\n", result);
>

2008-10-23 20:51:27

by Greg KH

[permalink] [raw]
Subject: Re: [stable] [BUG][PATCH] cpqphp: fix kernel NULL pointer dereference

On Thu, Oct 16, 2008 at 06:33:34PM -0600, Alex Chiang wrote:
> * Kenji Kaneshige <[email protected]>:
> >
> > The root cause of this problem seems that cpqphp driver calls
> > pci_hp_register() wrongly. In current implementation, cpqphp driver
> > passes 'ctrl->pci_dev->subordinate' as a second parameter for
> > pci_hp_register(). But because hotplug slots and it's hotplug
> > controller (exists as a pci funcion) are on the same bus, it should be
> > 'ctrl->pci_dev->bus' instead.
> >
> > Cc: <[email protected]>
>
> Acked-by: Alex Chiang <[email protected]>

This patch doesn't seem to have made it upstream.

Jesse, is it queued up in any of your trees?

thanks,

greg k-h

>
> > Tested-by: Ingo Molnar <[email protected]>
> > Signed-off-by: Kenji Kaneshige <[email protected]>
> >
> > ---
> > drivers/pci/hotplug/cpqphp_core.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > Index: linux-2.6-tip/drivers/pci/hotplug/cpqphp_core.c
> > ===================================================================
> > --- linux-2.6-tip.orig/drivers/pci/hotplug/cpqphp_core.c
> > +++ linux-2.6-tip/drivers/pci/hotplug/cpqphp_core.c
> > @@ -435,7 +435,7 @@ static int ctrl_slot_setup(struct contro
> > slot->number, ctrl->slot_device_offset,
> > slot_number);
> > result = pci_hp_register(hotplug_slot,
> > - ctrl->pci_dev->subordinate,
> > + ctrl->pci_dev->bus,
> > slot->device);
> > if (result) {
> > err("pci_hp_register failed with error %d\n", result);
> >
>
> _______________________________________________
> stable mailing list
> [email protected]
> http://linux.kernel.org/mailman/listinfo/stable

2008-10-23 21:37:19

by Jesse Barnes

[permalink] [raw]
Subject: Re: [stable] [BUG][PATCH] cpqphp: fix kernel NULL pointer dereference

On Thursday, October 23, 2008 1:37 pm Greg KH wrote:
> On Thu, Oct 16, 2008 at 06:33:34PM -0600, Alex Chiang wrote:
> > * Kenji Kaneshige <[email protected]>:
> > > The root cause of this problem seems that cpqphp driver calls
> > > pci_hp_register() wrongly. In current implementation, cpqphp driver
> > > passes 'ctrl->pci_dev->subordinate' as a second parameter for
> > > pci_hp_register(). But because hotplug slots and it's hotplug
> > > controller (exists as a pci funcion) are on the same bus, it should be
> > > 'ctrl->pci_dev->bus' instead.
> > >
> > > Cc: <[email protected]>
> >
> > Acked-by: Alex Chiang <[email protected]>
>
> This patch doesn't seem to have made it upstream.
>
> Jesse, is it queued up in any of your trees?

No I missed it initially. I've got it queued up now though.

Jesse

2008-10-23 21:47:01

by Jesse Barnes

[permalink] [raw]
Subject: Re: [BUG][PATCH] cpqphp: fix kernel NULL pointer dereference

On Thursday, October 16, 2008 5:23 pm Kenji Kaneshige wrote:
> Hi,
>
> The following patch fixes the regression in 2.6.27 that causes
> kernel NULL pointer dereference at cpqphp driver probe time.
> This patch should be backported to the .27 stable series.

Applied, thanks.

Jesse