PCI: Make pci_scan_slot more robust
authorMatthew Wilcox <matthew@wil.cx>
Sun, 17 Jan 2010 21:01:41 +0000 (14:01 -0700)
committerJesse Barnes <jbarnes@virtuousgeek.org>
Tue, 23 Feb 2010 00:17:17 +0000 (16:17 -0800)
Yinghai pointed out that the new pci_scan_slot() crashes when called
on an ARI-capable slot that is empty.  Fix this by exiting early from
pci_scan_slot if there is no device in the slot.

Also make next_ari_func() robust against devices not existing in case
the ARI capability is corrupt.  ARI also requires that the devices be
listed in order, so if we find a function listed that is out of order,
stop scanning to prevent loops.

Signed-off-by: Matthew Wilcox <matthew@wil.cx>
Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
drivers/pci/probe.c

index 9672760c7ade3233ab8656f3b5eb45fe0e50d389..233d1c275d96aa885df906bcd0a30fd019ff601a 100644 (file)
@@ -1222,11 +1222,19 @@ EXPORT_SYMBOL(pci_scan_single_device);
 static unsigned next_ari_fn(struct pci_dev *dev, unsigned fn)
 {
        u16 cap;
-       unsigned pos = pci_find_ext_capability(dev, PCI_EXT_CAP_ID_ARI);
+       unsigned pos, next_fn;
+
+       if (!dev)
+               return 0;
+
+       pos = pci_find_ext_capability(dev, PCI_EXT_CAP_ID_ARI);
        if (!pos)
                return 0;
        pci_read_config_word(dev, pos + 4, &cap);
-       return cap >> 8;
+       next_fn = cap >> 8;
+       if (next_fn <= fn)
+               return 0;
+       return next_fn;
 }
 
 static unsigned next_trad_fn(struct pci_dev *dev, unsigned fn)
@@ -1271,12 +1279,14 @@ int pci_scan_slot(struct pci_bus *bus, int devfn)
                return 0; /* Already scanned the entire slot */
 
        dev = pci_scan_single_device(bus, devfn);
-       if (dev && !dev->is_added)      /* new device? */
+       if (!dev)
+               return 0;
+       if (!dev->is_added)
                nr++;
 
        if (pci_ari_enabled(bus))
                next_fn = next_ari_fn;
-       else if (dev && dev->multifunction)
+       else if (dev->multifunction)
                next_fn = next_trad_fn;
 
        for (fn = next_fn(dev, 0); fn > 0; fn = next_fn(dev, fn)) {