Fix wrong struct pci_dev reference counter handling in acpi_pci_bind(). The 'dev' field of struct acpi_pci_data is having a pointer to struct pci_dev without incrementing the reference counter. Because of this, I got the following kernel oops when I was doing some pci hotplug operations. This patch fixes this bug by replacing wrong hand-made pci_find_slot() with pci_get_slot() in acpi_pci_bind(). [ 206.427004] BUG: unable to handle kernel NULL pointer dereference at 00000000000000e8 [ 206.427076] IP: [<ffffffff803f0e9b>] acpi_pci_unbind+0xb1/0xdd [ 206.427076] PGD 8225ad067 PUD 82258b067 PMD 0 [ 206.427076] Oops: 0000 [#1] SMP [ 206.427076] last sysfs file: /sys/bus/pci/slots/1/power [ 206.427076] CPU 2 [ 206.427076] Modules linked in: acpiphp ipv6 autofs4 hidp rfcomm l2cap bluetooth sunrpc dm_mirror dm_region_hash dm_log dm_multipath scsi_dh dm_mod sbs sbshc pci_slot battery ac parport_pc lp parport sg mptspi mptscsih mptbase scsi_transport_spi sr_mod cdrom e1000e serio_raw button i2c_i801 i2c_core shpchp pcspkr ata_piix libata megaraid_sas sd_mod scsi_mod crc_t10dif ext3 jbd uhci_hcd ohci_hcd ehci_hcd [last unloaded: microcode] [ 206.427076] Pid: 10367, comm: bash Not tainted 2.6.30-rc4-kk #10 PRIMERGY [ 206.427076] RIP: 0010:[<ffffffff803f0e9b>] [<ffffffff803f0e9b>] acpi_pci_unbind+0xb1/0xdd [ 206.427076] RSP: 0018:ffff8808225a9d68 EFLAGS: 00010206 [ 206.427076] RAX: 0000000000000000 RBX: ffff88083c547800 RCX: 0000000000000006 [ 206.427076] RDX: ffff88083ce36ca0 RSI: ffff880822508768 RDI: 0000000000000000 [ 206.427076] RBP: ffff8808225a9d98 R08: 0000000000000000 R09: 0000000000000000 [ 206.427076] R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000001 [ 206.427076] R13: 0000000000000000 R14: 0000000000000001 R15: ffff8808225a9e28 [ 206.427076] FS: 00007f376c4ee6e0(0000) GS:ffff880054636000(0000) knlGS:0000000000000000 [ 206.427076] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b [ 206.427076] CR2: 00000000000000e8 CR3: 0000000822590000 CR4: 00000000000006e0 [ 206.427076] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 206.427076] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 [ 206.427076] Process bash (pid: 10367, threadinfo ffff8808225a8000, task ffff880822508000) [ 206.427076] Stack: [ 206.427076] 000000000000001f ffff88083addd5a0 ffff8808225a9d98 ffff88083ce36ca0 [ 206.427076] ffff88083c547800 ffff88083c547800 ffff8808225a9db8 ffffffff803ecee4 [ 206.427076] ffff88083c547800 ffff88083c547000 ffff8808225a9e08 ffffffff803ecf6d [ 206.427076] Call Trace: [ 206.427076] [<ffffffff803ecee4>] acpi_bus_remove+0x54/0x68 [ 206.427076] [<ffffffff803ecf6d>] acpi_bus_trim+0x75/0xe3 [ 206.427076] [<ffffffffa0345ddd>] acpiphp_disable_slot+0x16d/0x1e0 [acpiphp] [ 206.427076] [<ffffffffa03441f0>] disable_slot+0x20/0x60 [acpiphp] [ 206.427076] [<ffffffff803cfc18>] power_write_file+0xc8/0x110 [ 206.427076] [<ffffffff803c6a54>] pci_slot_attr_store+0x24/0x30 [ 206.427076] [<ffffffff803469ce>] sysfs_write_file+0xce/0x140 [ 206.427076] [<ffffffff802e94e7>] vfs_write+0xc7/0x170 [ 206.427076] [<ffffffff802e9aa0>] sys_write+0x50/0x90 [ 206.427076] [<ffffffff8020bd6b>] system_call_fastpath+0x16/0x1b [ 206.427076] Code: be 2b 01 00 00 48 c7 c7 d0 c6 5a 80 31 c0 e8 c3 8f 01 00 eb 36 48 8b 55 e8 48 8b 42 10 48 83 78 18 00 74 13 48 8b 42 08 0f b7 3a <0f> b6 b0 e8 00 00 00 e8 ab f8 ff ff 48 8b 7d e8 e8 30 cf ee ff [ 206.427076] RIP [<ffffffff803f0e9b>] acpi_pci_unbind+0xb1/0xdd [ 206.427076] RSP <ffff8808225a9d68> [ 206.427076] CR2: 00000000000000e8 [ 206.440158] ---[ end trace 1ca3974fa717e665 ]--- Signed-off-by: Kenji Kaneshige <kaneshige.kenji@xxxxxxxxxxxxxx> drivers/acpi/pci_bind.c | 21 ++++++--------------- 1 file changed, 6 insertions(+), 15 deletions(-) Index: 20090521/drivers/acpi/pci_bind.c =================================================================== --- 20090521.orig/drivers/acpi/pci_bind.c +++ 20090521/drivers/acpi/pci_bind.c @@ -116,9 +116,6 @@ int acpi_pci_bind(struct acpi_device *de struct acpi_pci_data *pdata; struct acpi_buffer buffer = { ACPI_ALLOCATE_BUFFER, NULL }; acpi_handle handle; - struct pci_dev *dev; - struct pci_bus *bus; - if (!device || !device->parent) return -EINVAL; @@ -180,16 +177,8 @@ int acpi_pci_bind(struct acpi_device *de * PCI devices are added to the global pci list when the root * bridge start ops are run, which may not have happened yet. */ - bus = pci_find_bus(data->id.segment, data->id.bus); - if (bus) { - list_for_each_entry(dev, &bus->devices, bus_list) { - if (dev->devfn == PCI_DEVFN(data->id.device, - data->id.function)) { - data->dev = dev; - break; - } - } - } + data->dev = pci_get_slot(pdata->bus, + PCI_DEVFN(data->id.device, data->id.function)); if (!data->dev) { ACPI_DEBUG_PRINT((ACPI_DB_INFO, "Device %04x:%02x:%02x.%d not present in PCI namespace\n", @@ -259,9 +248,10 @@ int acpi_pci_bind(struct acpi_device *de end: kfree(buffer.pointer); - if (result) + if (result) { + pci_dev_put(data->dev); kfree(data); - + } return result; } @@ -303,6 +293,7 @@ static int acpi_pci_unbind(struct acpi_d if (data->dev->subordinate) { acpi_pci_irq_del_prt(data->id.segment, data->bus->number); } + pci_dev_put(data->dev); kfree(data); end: -- To unsubscribe from this list: send the line "unsubscribe linux-pci" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html