Hi,

I have tried with following patch and I am still getting same kernel panic.

-------------X++++++++++++++++++++X---------------------

diff --git a/drivers/pci/pcie/aer/aerdrv_core.c b/drivers/pci/pcie/aer/aerdrv_core.c
index 0f4554e..05592aa 100644
--- a/drivers/pci/pcie/aer/aerdrv_core.c
+++ b/drivers/pci/pcie/aer/aerdrv_core.c
@@ -26,6 +26,7 @@
 #include <linux/slab.h>
 #include <linux/kfifo.h>
 #include "aerdrv.h"
+#include "../../pci.h"

 static bool forceload;
 static bool nosourceid;
@@ -82,7 +82,7 @@ EXPORT_SYMBOL_GPL(pci_cleanup_aer_uncorrect_error_status);
 static int add_error_device(struct aer_err_info *e_info, struct pci_dev *dev)
 {
  if (e_info->error_dev_num < AER_MAX_MULTI_ERR_DEVICES) {
- e_info->dev[e_info->error_dev_num] = dev;
+ e_info->dev[e_info->error_dev_num] = pci_dev_get(dev);
  e_info->error_dev_num++;
  return 0;
  }
@@ -659,6 +659,9 @@ static int get_device_error_info(struct pci_dev *dev, struct aer_err_info *info)
  if (!pos)
  return 1;

+        if (pci_dev_is_disconnected(dev))
+                return 0;
+
  if (info->severity == AER_CORRECTABLE) {
  pci_read_config_dword(dev, pos + PCI_ERR_COR_STATUS,
  &info->status);
@@ -710,6 +713,8 @@ static inline void aer_process_err_devices(struct pcie_device *p_device,
  for (i = 0; i < e_info->error_dev_num && e_info->dev[i]; i++) {
  if (get_device_error_info(e_info->dev[i], e_info))
  handle_error_source(p_device, e_info->dev[i], e_info);
+
+                pci_dev_put(e_info->dev[i]);
  }
 }
-------------X++++++++++++++++++++X---------------------


Note: I have configured CONFIG_HOTPLUG_PCI_PCIE and CONFIG_HOTPLUG_PCI as modules and  loading in start up using script. 

root@/proc/:~# cat config | grep -i HOT
CONFIG_TICK_ONESHOT=y
CONFIG_HOTPLUG=y
# CONFIG_MEMORY_HOTPLUG is not set
CONFIG_HOTPLUG_CPU=y
# CONFIG_BOOTPARAM_HOTPLUG_CPU0 is not set
# CONFIG_DEBUG_HOTPLUG_CPU0 is not set
CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y
CONFIG_ACPI_HOTPLUG_CPU=y
CONFIG_HOTPLUG_PCI_PCIE=m
CONFIG_HOTPLUG_PCI=m
# CONFIG_HOTPLUG_PCI_CPCI is not set
# CONFIG_HOTPLUG_PCI_SHPC is not set
CONFIG_DM_SNAPSHOT=y
# CONFIG_USB_STORAGE_JUMPSHOT is not set
# CONFIG_TRACER_SNAPSHOT is not set
root@/proc/:~#

Panic back trace :
crash> bt
PID: 24     TASK: ffff880274ac0000  CPU: 0   COMMAND: "kworker/0:1"
 #0 [ffff880274abbac8] machine_kexec at ffffffff8102cf18
 #1 [ffff880274abbb28] crash_kexec at ffffffff810a6b05
 #2 [ffff880274abbbf0] oops_end at ffffffff8176d8a0
 #3 [ffff880274abbc18] die at ffffffff810060db
 #4 [ffff880274abbc48] do_general_protection at ffffffff8176d392
 #5 [ffff880274abbc70] general_protection at ffffffff8176cd32
    [exception RIP: pci_bus_read_config_dword+100]
    RIP: ffffffff813405f4  RSP: ffff880274abbd20  RFLAGS: 00010046
    RAX: 435f494350006963  RBX: ffff880274891800  RCX: 0000000000000004
    RDX: 0000000000000ffc  RSI: 0000000000000060  RDI: ffff880274891800
    RBP: ffff880274abbd48   R8: ffff880274abbd2c   R9: 00000000000002b8
    R10: ffff880274340000  R11: 0000000000000246  R12: ffff880274abbd5c
    R13: 0000000000000246  R14: 0000000000000000  R15: ffff880274920000
    ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018
 #6 [ffff880274abbd50] pci_find_next_ext_capability at ffffffff81345db6
 #7 [ffff880274abbd90] pci_find_ext_capability at ffffffff81347225
 #8 [ffff880274abbda0] get_device_error_info at ffffffff81356c4d
 #9 [ffff880274abbdd0] aer_isr at ffffffff81357ab0
#10 [ffff880274abbe28] process_one_work at ffffffff8105d4c0
#11 [ffff880274abbe70] worker_thread at ffffffff8105e251
#12 [ffff880274abbed0] kthread at ffffffff81064260
#13 [ffff880274abbf50] ret_from_fork at ffffffff81773978
crash>


Regards,
Gokul 

On Thu, Aug 2, 2018 at 10:39 PM, Thomas Tai <thomas.tai@oracle.com> wrote:

On 08/02/2018 11:07 AM, Lukas Wunner wrote:
[cc += Thomas Tai]

Hi Lukas,
Thank you very much for cc me.

On Thu, Aug 02, 2018 at 10:46:57AM +0200, Lukas Wunner wrote:
On Thu, Aug 02, 2018 at 12:59:18PM +0530, gokul cg wrote:
I am suspecting a possible race condition in the kernel between PCI driver
and AER handling.

The solution is to acquire a ref on each device in add_error_device().
Then release the ref aer_process_err_devices() by calling pci_dev_put().

So in case it wasn't clear, the below is what I had in mind.
Completely untested though.  Does this work for you?

For v3.10 compatibility, cherry-pick 89ee9f768003 (or alternatively
cherry-pick 8496e85c20e7 and replace pci_dev_is_disconnected(dev)
with !pci_device_is_present(dev)).

-- >8 --
Subject: [PATCH] PCI/AER: Fix use-after-free on surprise removal

The work item to consume errors, aer_isr(), walks the hierarchy using
pci_walk_bus() and stores a pointer to PCI devices which reported an
error in an array.  As long as pci_walk_bus() runs, those pointers are
valid because pci_bus_sem is held.  But once pci_walk_bus() finishes,
nothing prevents the pointers from becoming invalid, e.g. through
unplugging of the PCI devices.  The unprotected pointers are then
dereferenced in aer_process_err_devices(), which may oops:

 I like your idea to increment the refcount during pci_walk_bus(), that should fix the use-after-free issue. We just need Gokul to confirm if it fixes his issue or not.

Thanks,
Thomas



   #5  general_protection at ffffffff8176cdf2
       [exception RIP: pci_bus_read_config_dword+100]
   #6  pci_find_next_ext_capability at ffffffff81345d7b
   #7  pci_find_ext_capability at ffffffff81347225
   #8  get_device_error_info at ffffffff81356c4d
   #9  aer_isr at ffffffff81357a38

Fix by holding a ref on the devices until they have been processed.
Skip processing of unplugged devices.

Reported-by: gokul cg <gokuljnpr@gmail.com>
Signed-off-by: Lukas Wunner <lukas@wunner.de>
---
  drivers/pci/pcie/aer.c | 6 +++++-
  1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/pci/pcie/aer.c b/drivers/pci/pcie/aer.c
index a2e8838..937592e 100644
--- a/drivers/pci/pcie/aer.c
+++ b/drivers/pci/pcie/aer.c
@@ -657,7 +657,7 @@ void cper_print_aer(struct pci_dev *dev, int aer_severity,
  static int add_error_device(struct aer_err_info *e_info, struct pci_dev *dev)
  {
        if (e_info->error_dev_num < AER_MAX_MULTI_ERR_DEVICES) {
-               e_info->dev[e_info->error_dev_num] = dev;
+               e_info->dev[e_info->error_dev_num] = pci_dev_get(dev);
                e_info->error_dev_num++;
                return 0;
        }
@@ -898,6 +898,9 @@ static int get_device_error_info(struct pci_dev *dev, struct aer_err_info *info)
        if (!pos)
                return 0;
  +     if (pci_dev_is_disconnected(dev))
+               return 0;
+
        if (info->severity == AER_CORRECTABLE) {
                pci_read_config_dword(dev, pos + PCI_ERR_COR_STATUS,
                        &info->status);
@@ -948,6 +951,7 @@ static inline void aer_process_err_devices(struct aer_err_info *e_info)
        for (i = 0; i < e_info->error_dev_num && e_info->dev[i]; i++) {
                if (get_device_error_info(e_info->dev[i], e_info))
                        handle_error_source(e_info->dev[i], e_info);
+               pci_dev_put(e_info->dev[i]);
        }
  }