From mboxrd@z Thu Jan  1 00:00:00 1970
From: Philip Guo <pg@cs.stanford.edu>
Date: Mon, 26 Feb 2007 00:10:29 +0000
Subject: possible bug in pci/hotplug/pciehp_core.c in linux-2.6.19
Message-Id: <45E22575.5060504@cs.stanford.edu>
List-Id: <linux-hotplug.vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
To: linux-hotplug@vger.kernel.org

Hi,

I am a graduate student working on finding bugs in Linux drivers using=20
an automated research tool.  I think I've found a possible bug in=20
pci/hotplug/pciehp_core.c, and I'd appreciate it if you could=20
confirm/disconfirm it.

This code is in 2.6.19, but I just checked on 2.6.20.1, and this same=20
problem seems to still be present.

Thanks,
Philip

---
One thread seems to deadlock itself by calling down() on a semaphore
initialized to locked.

pci/hotplug/pciehp_core.c:

Start at pcied_init() -

static int __init pcied_init(void)
{
     int retval =3D 0;

#ifdef CONFIG_HOTPLUG_PCI_PCIE_POLL_EVENT_MODE
     pciehp_poll_mode =3D 1;
#endif

     retval =3D pcie_start_thread(); <-- [this returns an error]
     if (retval)
         goto error_hpc_init;
[...]

error_hpc_init:
     if (retval) { <-- [true]
         pciehp_event_stop_thread(); <-- [calling this will deadlock -=20
see code snippet at the end]
     };

     return retval;
}


static int pcie_start_thread(void)
{
     int retval =3D 0;
     retval =3D pciehp_event_start_thread(); <-- [call this]
     if (retval) { <-- [take failed branch]
         return retval;
     }
     return retval;
}


pci/hotplug/pciehp_ctrl.c:

static struct semaphore event_exit; /* guard ensure thread has exited=20
before calling it quits */

int pciehp_event_start_thread(void)
{
     int pid;

     /* initialize our semaphores */
     init_MUTEX_LOCKED(&event_exit); <-- [event_exit init to LOCKED]
     event_finished=3D0;

     init_MUTEX_LOCKED(&event_semaphore);
     pid =3D kernel_thread(event_thread, NULL, 0); <-- [this fails]

     if (pid < 0) { <-- [take this branch because kernel_thread failed]
         err ("Can't start up our event thread\n");
         return -1; <-- [return error]
     }
     return 0;
}

void pciehp_event_stop_thread(void)
{
     event_finished =3D 1;
     up(&event_semaphore);
     down(&event_exit); <-- [this is called from the end of pcied_init()=20
on a LOCKED semaphore, so deadlock]
}


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=3Djoin.php&p=3Dsourceforge&CID=DEVD=
EV
_______________________________________________
Linux-hotplug-devel mailing list  http://linux-hotplug.sourceforge.net
Linux-hotplug-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel