[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH] linux/pci_back: fix NULL pointer ref.

linux/pci_back: fix NULL pointer ref.

This patch fixes the following panic.
pcistub_device_release() can be called during
initialization. Thus pci_get_drvdata() can return NULL.
Fix it by inserting NULL check.

Unable to handle kernel NULL pointer dereference at 0000000000000000 RIP: 
 [<ffffffff8122ec4d>] pciback_config_free_dyn_fields+0xb/0x67
PGD eeb6b067 PUD eb833067 PMD 0 
Oops: 0000 [1] SMP 
CPU 0 
Modules linked in:
Pid: 3181, comm: bash Not tainted 2.6.18.8 #5
RIP: e030:[<ffffffff8122ec4d>]  [<ffffffff8122ec4d>] 
pciback_config_free_dyn_fields+0xb/0x67
RSP: e02b:ffff8800e91edb98  EFLAGS: 00010202
RAX: 0000000000000000 RBX: ffff8800ecfe3ec0 RCX: ffff8800ea8e0000
RDX: ffffffffff578000 RSI: ffff8800ea8e0000 RDI: ffff8800ea8e0000
RBP: ffffffff8122d403 R08: 0000000000000002 R09: 0000000000000000
R10: 0000000000000000 R11: ffffffff81283086 R12: 0000000000000000
R13: ffffffff813f1050 R14: 0000000000000000 R15: ffff8800027c9870
FS:  00002b093b121af0(0000) GS:ffffffff8144b000(0000) knlGS:0000000000000000
CS:  e033 DS: 0000 ES: 0000
Process bash (pid: 3181, threadinfo ffff8800e91ec000, task ffff8800ebf53810)
Stack:  ffff8800ecfe3ec0 ffffffff8122d403 ffff8800ea8e0000 ffffffff8122d419
 ffff8800ecfe3ec0 ffffffff81162976 ffff8800ecfe3ec0 ffff8800ecfe3ec0
 00000000ffffffea ffffffff8122d6e7 ffffffff813f10a8 ffff8800ea8e0000
Call Trace:
 [<ffffffff8122d403>] pcistub_device_release+0x0/0x50
 [<ffffffff8122d419>] pcistub_device_release+0x16/0x50
 [<ffffffff81162976>] kref_put+0x63/0x6e
 [<ffffffff8122d6e7>] pcistub_seize+0x104/0x10b
 [<ffffffff8116ed07>] pci_device_probe+0x4c/0x73
 [<ffffffff812154cc>] pci_bus_probe_wrapper+0x1f2/0x1fe
 [<ffffffff81026bd3>] __wake_up+0x38/0x4f
 [<ffffffff8129d7f6>] netlink_broadcast+0x31a/0x362
 [<ffffffff8116ec15>] pci_match_device+0x13/0xb9
 [<ffffffff8116ed42>] pci_bus_match+0x14/0x20
 [<ffffffff811c9449>] driver_probe_device+0x52/0xa4
 [<ffffffff811c9542>] __device_attach+0x0/0x5
 [<ffffffff811c8b2f>] bus_for_each_drv+0x43/0x77
 [<ffffffff811c93e2>] device_attach+0x56/0x6b
 [<ffffffff811c880f>] bus_attach_device+0x1a/0x35
 [<ffffffff811c7b13>] device_add+0x24d/0x365
 [<ffffffff8116acbc>] pci_bus_add_device+0xd/0x52
 [<ffffffff8117635c>] pci_rescan_buses+0xde/0x1ec
 [<ffffffff8116bbd2>] pci_scan_single_device+0x21/0x11e
 [<ffffffff81176445>] pci_rescan_buses+0x1c7/0x1ec
 [<ffffffff810615b0>] __alloc_pages+0x79/0x2c4
 [<ffffffff8117647a>] enable_slot+0x10/0x1a
 [<ffffffff81175368>] power_write_file+0xa8/0x114
 [<ffffffff810bbc23>] sysfs_write_file+0xbb/0xe6
 [<ffffffff81080b8f>] vfs_write+0xad/0x153
 [<ffffffff81080cf1>] sys_write+0x45/0x6e
 [<ffffffff8100a634>] system_call+0x68/0x6d
 [<ffffffff8100a5cc>] system_call+0x0/0x6d


Code: 49 8b 1c 24 48 8b 2b eb 49 48 8b 7b 10 48 8b 47 28 48 85 c0 
RIP  [<ffffffff8122ec4d>] pciback_config_free_dyn_fields+0xb/0x67
 RSP <ffff8800e91edb98>
CR2: 0000000000000000
 
Signed-off-by: Isaku Yamahata <yamahata@xxxxxxxxxxxxx>

diff --git a/drivers/xen/pciback/conf_space.c b/drivers/xen/pciback/conf_space.c
--- a/drivers/xen/pciback/conf_space.c
+++ b/drivers/xen/pciback/conf_space.c
@@ -297,6 +297,8 @@ void pciback_config_free_dyn_fields(stru
 
        dev_dbg(&dev->dev,
                "free-ing dynamically allocated virtual configuration space 
fields\n");
+       if (!dev_data)
+               return;
 
        list_for_each_entry_safe(cfg_entry, t, &dev_data->config_fields, list) {
                field = cfg_entry->field;
@@ -321,6 +323,8 @@ void pciback_config_reset_dev(struct pci
        const struct config_field *field;
 
        dev_dbg(&dev->dev, "resetting virtual configuration space\n");
+       if (!dev_data)
+               return;
 
        list_for_each_entry(cfg_entry, &dev_data->config_fields, list) {
                field = cfg_entry->field;
@@ -337,6 +341,8 @@ void pciback_config_free_dev(struct pci_
        const struct config_field *field;
 
        dev_dbg(&dev->dev, "free-ing virtual configuration space fields\n");
+       if (!dev_data)
+               return;
 
        list_for_each_entry_safe(cfg_entry, t, &dev_data->config_fields, list) {
                list_del(&cfg_entry->list);


-- 
yamahata

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.