OOPS in 2.4.0-pre9 -- NULL pointer dereference in pci_insert_device

OOPS in 2.4.0-pre9 -- NULL pointer dereference in pci_insert_device

[Miles Lane]

This highly reproducible OOPS gets triggered when I insert my
Belkin BusPort Mobile after booting the machine with no other
PC Cards inserted.

Jan 26 14:22:34 agate kernel: Kernel command line: auto
BOOT_IMAGE=Serial-Debug ro root05 pci=biosirq console=ttyS0,38400
console=tty0 setup_delay\x10 
Jan 26 14:23:03 agate kernel: Unable to handle kernel paging request at
virtual address c5a347f4 
Jan 26 14:23:03 agate kernel: c01c5593 
Jan 26 14:23:03 agate kernel: *pde = 011af063 
Jan 26 14:23:03 agate kernel: Oops: 0000 
Jan 26 14:23:03 agate kernel: CPU:    0 
Jan 26 14:23:03 agate kernel: EIP:    0010:[<c01c5593>] 
Jan 26 14:23:03 agate kernel: EFLAGS: 00013206 
Jan 26 14:23:03 agate kernel: eax: 00000000   ebx: c5a347e0   ecx:
c027588c   edx: 00000000 
Jan 26 14:23:03 agate kernel: esi: c4708400   edi: c11bdc8b   ebp:
c11c48c0   esp: c11bdc48 
Jan 26 14:23:03 agate kernel: ds: 0018   es: 0018   ss: 0018 
Jan 26 14:23:03 agate kernel: Process keventd (pid: 2,
stackpage¡1bd000) 
Jan 26 14:23:03 agate kernel: Stack: c4708400 00000007 c01ceb6a c4708400
c11c48c0 0000001e c4ffa000 c11bdf2c  
Jan 26 14:23:03 agate kernel:        c11bc560 00000000 00000000 c4708524
c4708426 c11bdc8b 0000000b c4708400  
Jan 26 14:23:03 agate kernel:        01000100 00000000 1045c861 00000000
00000000 00000000 00000000 c11c48c0  
Jan 26 14:23:03 agate kernel: Call Trace: [<c01ceb6a>] [<c01cc0a5>]
[<c01cc010>] [<c01cbfa8>] [<c01cc238>] [<c01d0016>] [<c0119f9c>]  
Jan 26 14:23:03 agate kernel:        [<c01206e7>] [<c0105000>]
[<c0105000>] [<c010744f>]  
Jan 26 14:23:04 agate kernel: Code: 83 7b 14 00 74 0e 56 53 e8 8c fd ff
ff 83 c4 08 85 c0 75 0a  

>>EIP; c01c5593 <pci_insert_device+4b/a8>   <==Trace; c01ceb6a <CardServices+842/e7c>
Trace; c01cc0a5 <unregister_ss_entry+2e5/4d4>
Trace; c01cc010 <unregister_ss_entry+250/4d4>
Trace; c01cbfa8 <unregister_ss_entry+1e8/4d4>
Trace; c01cc238 <unregister_ss_entry+478/4d4>
Trace; c01d0016 <unregister_driver+dee/3158>
Trace; c0119f9c <__run_task_queue+50/1ac>
Trace; c01206e7 <schedule_task+187/208>
Trace; c0105000 <gdt+4dd4/6f24>
Trace; c0105000 <gdt+4dd4/6f24>
Trace; c010744f <kernel_thread+23/1a0>
Code;  c01c5593 <pci_insert_device+4b/a8>
00000000 <_EIP>:
Code;  c01c5593 <pci_insert_device+4b/a8>   <==   0:   83 7b 14 00               cmpl   $0x0,0x14(%ebx)   <==Code;  c01c5597 <pci_insert_device+4f/a8>
   4:   74 0e                     je     14 <_EIP+0x14> c01c55a7
<pci_insert_device+5f/a8>
Code;  c01c5599 <pci_insert_device+51/a8>
   6:   56                        push   %esi
Code;  c01c559a <pci_insert_device+52/a8>
   7:   53                        push   %ebx
Code;  c01c559b <pci_insert_device+53/a8>
   8:   e8 8c fd ff ff            call   fffffd99 <_EIP+0xfffffd99>
c01c532c <pci_match_device+74/c4>
Code;  c01c55a0 <pci_insert_device+58/a8>
   d:   83 c4 08                  add    $0x8,%esp
Code;  c01c55a3 <pci_insert_device+5b/a8>
  10:   85 c0                     test   %eax,%eax
Code;  c01c55a5 <pci_insert_device+5d/a8>
  12:   75 0a                     jne    1e <_EIP+0x1e> c01c55b1
<pci_insert_device+69/a8>

_______________________________________________
Linux-hotplug-devel mailing list  http://linux-hotplug.sourceforge.net
Linux-hotplug-devel@lists.sourceforge.net
http://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel

Re: OOPS in 2.4.0-pre9 -- NULL pointer dereference in pci_insert_device

[Andrew Morton]

Miles Lane wrote:
> 
> This highly reproducible OOPS gets triggered when I insert my
> Belkin BusPort Mobile after booting the machine with no other
> PC Cards inserted.
> 

I really can't work that trace out.  Are you sure it's
correct?  System.map kosher, etc?

_______________________________________________
Linux-hotplug-devel mailing list  http://linux-hotplug.sourceforge.net
Linux-hotplug-devel@lists.sourceforge.net
http://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel

Re: OOPS in 2.4.0-pre9 -- NULL pointer dereference in pci_insert_device

[Andrew Morton]

Miles Lane wrote:
> 
> Andrew Morton wrote:
> 
>  > Miles Lane wrote:
>  >
>  >> This highly reproducible OOPS gets triggered when I insert my
>  >> Belkin BusPort Mobile after booting the machine with no other
>  >> PC Cards inserted.
>  >>
>  >
>  >
>  > I really can't work that trace out.  Are you sure it's
>  > correct?  System.map kosher, etc?
> 
> Hi Andrew,
> 
> I am adding Linus to the TO:, since this problem may be in his
> yenta code.

I took him off again :)  Let's suprise him when we have a fix.
I suspect it's a broken driver and not yenta.


> I'm really not sure what why the OOPS I sent was bogus.
> Perhaps these new OOPS traces will be more useful.  I hope so!

Yep.  The PCI driver list has become corrupted.  The bug
probably happened waaay before the oops, so we need to
find out who did this.  It can happen if a driver fails
to unregister itself and then gets unloaded.  Ten seconds
later, boom.

Please try this patch.  It just checks the sanity of
the PCI driver list where ever it's touched, and also
immediately prior to module unload.

It's against 2.4.2-pre1.  Hopefully it'll apply to
Alan's kernel.  If the patch finds something, please
feed through ksymooops.



--- linux-2.4.2-pre1/kernel/module.c	Tue Nov 28 12:38:07 2000
+++ lk/kernel/module.c	Fri Feb  9 00:29:00 2001
@@ -1052,6 +1052,9 @@
 
 	/* And free the memory.  */
 
+	memset(mod, 0, mod->size);
+#define CHECK_PCI_DRIVERS()	check_pci_drivers(__FUNCTION__, __LINE__)
+	CHECK_PCI_DRIVERS();
 	module_unmap(mod);
 }
 
--- linux-2.4.2-pre1/drivers/pci/pci.c	Tue Dec 12 08:46:26 2000
+++ lk/drivers/pci/pci.c	Fri Feb  9 00:18:02 2001
@@ -36,6 +36,21 @@
 
 LIST_HEAD(pci_root_buses);
 LIST_HEAD(pci_devices);
+static LIST_HEAD(pci_drivers);
+
+#define CHECK_PCI_DRIVERS()	check_pci_drivers(__FUNCTION__, __LINE__)
+
+void check_pci_drivers(const char *who, int where)
+{
+	struct list_head *ln;
+	for(ln=pci_drivers.next; ln != &pci_drivers; ln=ln->next) {
+		struct pci_driver *drv = list_entry(ln, struct pci_driver, node);
+		if (drv = 0) {
+			printk("PCI driver list corrupted in %s:%d\n", who, where);
+			show_trace(0);
+		}
+	}
+}
 
 /**
  * pci_find_slot - locate PCI device from a given PCI slot
@@ -52,6 +67,7 @@
 {
 	struct pci_dev *dev;
 
+	CHECK_PCI_DRIVERS();
 	pci_for_each_dev(dev) {
 		if (dev->bus->number = bus && dev->devfn = devfn)
 			return dev;
@@ -67,6 +83,7 @@
 {
 	struct list_head *n = from ? from->global_list.next : pci_devices.next;
 
+	CHECK_PCI_DRIVERS();
 	while (n != &pci_devices) {
 		struct pci_dev *dev = pci_dev_g(n);
 		if ((vendor = PCI_ANY_ID || dev->vendor = vendor) &&
@@ -117,6 +134,7 @@
 {
 	struct list_head *n = from ? from->global_list.next : pci_devices.next;
 
+	CHECK_PCI_DRIVERS();
 	while (n != &pci_devices) {
 		struct pci_dev *dev = pci_dev_g(n);
 		if (dev->class = class)
@@ -134,6 +152,7 @@
 	u8 pos, id;
 	int ttl = 48;
 
+	CHECK_PCI_DRIVERS();
 	pci_read_config_word(dev, PCI_STATUS, &status);
 	if (!(status & PCI_STATUS_CAP_LIST))
 		return 0;
@@ -177,6 +196,7 @@
 	int i;
 	struct resource *best = NULL;
 
+	CHECK_PCI_DRIVERS();
 	for(i=0; i<4; i++) {
 		struct resource *r = bus->resource[i];
 		if (!r)
@@ -252,6 +272,7 @@
 {
 	int err;
 
+	CHECK_PCI_DRIVERS();
 	if ((err = pcibios_enable_device(dev)) < 0)
 		return err;
 	pci_set_power_state(dev, 0);
@@ -263,6 +284,7 @@
 {
 	u8 pin;
 
+	CHECK_PCI_DRIVERS();
 	pci_read_config_byte(dev, PCI_INTERRUPT_PIN, &pin);
 	if (!pin)
 		return -1;
@@ -279,8 +301,6 @@
  *  Registration of PCI drivers and handling of hot-pluggable devices.
  */
 
-static LIST_HEAD(pci_drivers);
-
 const struct pci_device_id *
 pci_match_device(const struct pci_device_id *ids, const struct pci_dev *dev)
 {
@@ -302,6 +322,7 @@
 	const struct pci_device_id *id;
 	int ret = 0;
 
+	CHECK_PCI_DRIVERS();
 	if (drv->id_table) {
 		id = pci_match_device(drv->id_table, dev);
 		if (!id) {
@@ -312,10 +333,12 @@
 		id = NULL;
 
 	dev_probe_lock();
+	CHECK_PCI_DRIVERS();
 	if (drv->probe(dev, id) >= 0) {
 		dev->driver = drv;
 		ret = 1;
 	}
+	CHECK_PCI_DRIVERS();
 	dev_probe_unlock();
 out:
 	return ret;
@@ -327,11 +350,13 @@
 	struct pci_dev *dev;
 	int count = 0;
 
+	CHECK_PCI_DRIVERS();
 	list_add_tail(&drv->node, &pci_drivers);
 	pci_for_each_dev(dev) {
 		if (!pci_dev_driver(dev))
 			count += pci_announce_device(drv, dev);
 	}
+	CHECK_PCI_DRIVERS();
 	return count;
 }
 
@@ -340,14 +365,19 @@
 {
 	struct pci_dev *dev;
 
+	CHECK_PCI_DRIVERS();
 	list_del(&drv->node);
 	pci_for_each_dev(dev) {
 		if (dev->driver = drv) {
-			if (drv->remove)
+			if (drv->remove) {
+				CHECK_PCI_DRIVERS();
 				drv->remove(dev);
+				CHECK_PCI_DRIVERS();
+			}
 			dev->driver = NULL;
 		}
 	}
+	CHECK_PCI_DRIVERS();
 }
 
 #ifdef CONFIG_HOTPLUG
@@ -393,7 +423,9 @@
 		envp[i++] = "ACTION=remove";
 	envp[i] = 0;
 
+	CHECK_PCI_DRIVERS();
 	call_usermodehelper (argv [0], argv, envp);
+	CHECK_PCI_DRIVERS();
 }
 
 void
@@ -401,6 +433,7 @@
 {
 	struct list_head *ln;
 
+	CHECK_PCI_DRIVERS();
 	list_add_tail(&dev->bus_list, &bus->devices);
 	list_add_tail(&dev->global_list, &pci_devices);
 #ifdef CONFIG_PROC_FS
@@ -408,6 +441,10 @@
 #endif
 	for(ln=pci_drivers.next; ln != &pci_drivers; ln=ln->next) {
 		struct pci_driver *drv = list_entry(ln, struct pci_driver, node);
+		if (drv = 0) {
+			printk("oops avoided\n");
+			return;
+		}
 		if (drv->remove && pci_announce_device(drv, dev))
 			break;
 	}
@@ -421,21 +458,25 @@
 {
 	int i;
 
+	CHECK_PCI_DRIVERS();
 	for (i = 0; i < PCI_NUM_RESOURCES; i++) {
 		struct resource *res = dev->resource + i;
 		if (res->parent)
 			release_resource(res);
 	}
+	CHECK_PCI_DRIVERS();
 }
 
 void
 pci_remove_device(struct pci_dev *dev)
 {
+	CHECK_PCI_DRIVERS();
 	if (dev->driver) {
 		if (dev->driver->remove)
 			dev->driver->remove(dev);
 		dev->driver = NULL;
 	}
+	CHECK_PCI_DRIVERS();
 	list_del(&dev->bus_list);
 	list_del(&dev->global_list);
 	pci_free_resources(dev);
@@ -1072,21 +1113,25 @@
  */
 static int pci_pm_suspend_device(struct pci_dev *dev)
 {
+	CHECK_PCI_DRIVERS();
 	if (dev) {
 		struct pci_driver *driver = dev->driver;
 		if (driver && driver->suspend)
 			driver->suspend(dev);
 	}
+	CHECK_PCI_DRIVERS();
 	return 0;
 }
 
 static int pci_pm_resume_device(struct pci_dev *dev)
 {
+	CHECK_PCI_DRIVERS();
 	if (dev) {
 		struct pci_driver *driver = dev->driver;
 		if (driver && driver->resume)
 			driver->resume(dev);
 	}
+	CHECK_PCI_DRIVERS();
 	return 0;
 }

_______________________________________________
Linux-hotplug-devel mailing list  http://linux-hotplug.sourceforge.net
Linux-hotplug-devel@lists.sourceforge.net
http://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel