| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
KASAN report null-ptr-deref as follows:
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:ipmi_unregister_smi+0x7d/0xd50 drivers/char/ipmi/ipmi_msghandler.c:3680
Call Trace:
ipmi_ipmb_remove+0x138/0x1a0 drivers/char/ipmi/ipmi_ipmb.c:443
ipmi_ipmb_probe+0x409/0xda1 drivers/char/ipmi/ipmi_ipmb.c:548
i2c_device_probe+0x959/0xac0 drivers/i2c/i2c-core-base.c:563
really_probe+0x3f3/0xa70 drivers/base/dd.c:541
In ipmi_ipmb_probe(), 'iidev->intf' is not set before
ipmi_register_smi() success. And in the error handling case,
ipmi_ipmb_remove() is called to release resources, ipmi_unregister_smi()
is called without check 'iidev->intf', this will cause KASAN
null-ptr-deref issue.
General kernel style is to allow NULL to be passed into unregister
calls, so fix it that way. This allows a NULL check to be removed in
other code.
Fixes: 57c9e3c9a374 ("ipmi:ipmi_ipmb: Unregister the SMI on remove")
Reported-by: Hulk Robot <hulkci@huawei.com>
Cc: stable@vger.kernel.org # v5.17+
Cc: Wei Yongjun <weiyongjun1@huawei.com>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
|
|
coccicheck complains about the use of snprintf() in sysfs show
functions:
WARNING use scnprintf or sprintf
Use sysfs_emit instead of scnprintf, snprintf or sprintf makes more
sense.
Reported-by: Zeal Robot <zealci@zte.com.cn>
Signed-off-by: Ye Guojin <ye.guojin@zte.com.cn>
Message-Id: <20211021110608.1060260-1-ye.guojin@zte.com.cn>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
|
|
Pull IPMI updates from Corey Minyard:
"A couple of very minor fixes for style and rate limiting.
Nothing big, but probably needs to go in"
* tag 'for-linus-5.15-1' of git://github.com/cminyard/linux-ipmi:
char: ipmi: use DEVICE_ATTR helper macro
ipmi: rate limit ipmi smi_event failure message
|
|
The caller of this function (parisc_driver_remove() in
arch/parisc/kernel/drivers.c) ignores the return value, so better don't
return any value at all to not wake wrong expectations in driver authors.
The only function that could return a non-zero value before was
ipmi_parisc_remove() which returns the return value of
ipmi_si_remove_by_dev(). Make this function return void, too, as for all
other callers the value is ignored, too.
Also fold in a small checkpatch fix for:
WARNING: Unnecessary space before function pointer arguments
+ void (*remove) (struct parisc_device *dev);
Acked-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> (for drivers/input)
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Acked-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Acked-by: Jiri Slaby <jirislaby@kernel.org>
Signed-off-by: Helge Deller <deller@gmx.de>
|
|
Instead of open coding DEVICE_ATTR, use the helper macro
DEVICE_ATTR_RO to replace DEVICE_ATTR with 0444 octal
permissions.
This was detected as a part of checkpatch evaluation
investigating all reports of DEVICE_ATTR_RO warning
type.
Signed-off-by: Dwaipayan Ray <dwaipayanray1@gmail.com>
Message-Id: <20210730062951.84876-1-dwaipayanray1@gmail.com>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
|
|
Sometimes we can't get a valid si_sm_data, and we print an error
message accordingly. But the ipmi module seem to like retrying a lot,
in which case we flood the kernel log with a lot of messages, eg:
[46318019.164726] ipmi_si IPI0001:00: Could not set the global enables: 0xc1.
[46318020.109700] ipmi_si IPI0001:00: Could not set the global enables: 0xc1.
[46318021.158677] ipmi_si IPI0001:00: Could not set the global enables: 0xc1.
[46318022.212598] ipmi_si IPI0001:00: Could not set the global enables: 0xc1.
[46318023.258564] ipmi_si IPI0001:00: Could not set the global enables: 0xc1.
[46318024.210455] ipmi_si IPI0001:00: Could not set the global enables: 0xc1.
[46318025.260473] ipmi_si IPI0001:00: Could not set the global enables: 0xc1.
[46318026.308445] ipmi_si IPI0001:00: Could not set the global enables: 0xc1.
[46318027.356389] ipmi_si IPI0001:00: Could not set the global enables: 0xc1.
[46318028.298288] ipmi_si IPI0001:00: Could not set the global enables: 0xc1.
[46318029.363302] ipmi_si IPI0001:00: Could not set the global enables: 0xc1.
Signed-off-by: Wen Yang <wenyang@linux.alibaba.com>
Cc: Baoyou Xie <baoyou.xie@alibaba-inc.com>
Cc: Corey Minyard <minyard@acm.org>
Cc: openipmi-developer@lists.sourceforge.net
Cc: linux-kernel@vger.kernel.org
Message-Id: <20210729093228.77098-1-wenyang@linux.alibaba.com>
[Added a missing comma]
Signed-off-by: Corey Minyard <cminyard@mvista.com>
|
|
For easy grepping on debug purposes join string literals back in
the messages.
No functional change.
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Message-Id: <20210402174334.13466-11-andriy.shevchenko@linux.intel.com>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
|
|
The ->addr_source_cleanup() callback is solely used by PCI driver
and only for one purpose, i.e. to disable device. Get rid of
->addr_source_cleanup() by switching to PCI managed API.
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Message-Id: <20210402174334.13466-8-andriy.shevchenko@linux.intel.com>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
|
|
Instead of making the comparison one by one, reuse si_to_str[] array
in ipmi_hardcode_init_one() in conjunction with match_string() API.
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Message-Id: <20210402174334.13466-7-andriy.shevchenko@linux.intel.com>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
|
|
Rarely but still failures are observed while getting BMC device ID
so this commit changes the condition to retry to get device id
when cc is not IPMI_CC_NO_ERROR.
Signed-off-by: Terry Duncan <terry.s.duncan@intel.com>
Signed-off-by: Jae Hyun Yoo <jae.hyun.yoo@linux.intel.com>
Message-Id: <20210225045027.9344-1-jae.hyun.yoo@linux.intel.com>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
|
|
On an error exit path, a negative error code should be returned
instead of a positive return value.
Fixes: 90b2d4f15ff7 ("ipmi_si: Remove hacks for adding a dummy platform devices")
Cc: Corey Minyard <cminyard@mvista.com>
Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
Message-Id: <20201005145212.84435-1-tianjia.zhang@linux.alibaba.com>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
|
|
The type for the completion codes should be unsigned char instead of
char. If it is declared as a normal char then the conditions in
__get_device_id() are impossible because the IPMI_DEVICE_IN_FW_UPDATE_ERR
error codes are higher than 127.
drivers/char/ipmi/ipmi_msghandler.c:2449 __get_device_id()
warn: impossible condition '(bmc->cc == 209) => ((-128)-127 == 209)'
Fixes: f8910ffa81b0 ("ipmi:msghandler: retry to get device id on an error")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Message-Id: <20200918142756.GB909725@mwanda>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
|
|
Use a retry machanism to give the BMC more opportunities to correctly
respond when we receive specific completion codes.
This is similar to what is done in __get_device_id().
Signed-off-by: Xianting Tian <tian.xianting@h3c.com>
Message-Id: <20200916062129.26129-1-tian.xianting@h3c.com>
[Moved GET_DEVICE_ID_MAX_RETRY to include/linux/ipmi.h, reworded some
text.]
Signed-off-by: Corey Minyard <cminyard@mvista.com>
|
|
As this file got moved, fix references for it.
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Link: https://lore.kernel.org/r/b6c1ded590f27198de15b16237509128e55fa810.1588345503.git.mchehab+huawei@kernel.org
Signed-off-by: Jonathan Corbet <corbet@lwn.net>
|
|
'struct timespec' is getting removed from the kernel. The usage in ipmi
was fixed before in commit 48862ea2ce86 ("ipmi: Update timespec usage
to timespec64"), but unfortunately it crept back in.
The busy looping code can better use ktime_t anyway, so use that
there to simplify the implementation.
Fixes: cbb19cb1eef0 ("ipmi_si: Convert timespec64 to timespec")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Message-Id: <20191108203435.112759-5-arnd@arndb.de>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
|
|
smi_mod_timer() enables the timer before setting timer_running. This
means the timer can be running when we get to stop_timer_and_thread()
without timer_running having been set, resulting in del_timer_sync()
not being called and the timer being left to cause havoc during
shutdown.
Instead just call del_timer_sync() unconditionally
Signed-off-by: Jes Sorensen <jsorensen@fb.com>
Message-Id: <20190828203625.32093-2-Jes.Sorensen@gmail.com>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
|
|
ipmi_thread() uses back-to-back schedule() to poll for command
completion which, on some machines, can push up CPU consumption and
heavily tax the scheduler locks leading to noticeable overall
performance degradation.
This was originally added so firmware updates through IPMI would
complete in a timely manner. But we can't kill the scheduler
locks for that one use case.
Instead, only run schedule() continuously in maintenance mode,
where firmware updates should run.
Signed-off-by: Corey Minyard <cminyard@mvista.com>
|
|
Better conform with kernel style.
Signed-off-by: Corey Minyard <cminyard@mvista.com>
|
|
Kernel preferences are for octal values instead of symbols.
Signed-off-by: Corey Minyard <cminyard@mvista.com>
|
|
ipmi_si_sm.h was getting included in lots of places it didn't
belong. Rework things a bit to remove all the dependencies,
mostly just moving things between include files that were in
the wrong place and removing bogus includes.
Signed-off-by: Corey Minyard <cminyard@mvista.com>
|
|
There is no need for timespec64, and it will cause issues in the
future with i386 and 64-bit division not being available.
Signed-off-by: Corey Minyard <cminyard@mvista.com>
|
|
Cover 'int' to 'bool' type for initialized variable.
Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com>
Message-Id: <20190517101245.4341-2-wangkefeng.wang@huawei.com>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
|
|
The "init_name" variable isn't used any more after commit 90b2d4f15ff7
("ipmi_si: Remove hacks for adding a dummy platform devices").
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Message-Id: <20190322065426.GB12551@kadam>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
|
|
All the IPMI address sources now supply a real device. This cheap
hack is no longer necessary.
Signed-off-by: Corey Minyard <cminyard@mvista.com>
|
|
When a hotmod-added device is removed or when the module is removed,
remove the platform devices that was created for it.
Signed-off-by: Corey Minyard <cminyard@mvista.com>
|
|
Don't force the main code to create one for it.
Signed-off-by: Corey Minyard <cminyard@mvista.com>
|
|
Make the naming consistent, and make the values an enum.
Signed-off-by: Corey Minyard <cminyard@mvista.com>
|
|
When excuting a command like:
modprobe ipmi_si ports=0xffc0e3 type=bt
The system would get an oops.
The trouble here is that ipmi_si_hardcode_find_bmc() is called before
ipmi_si_platform_init(), but initialization of the hard-coded device
creates an IPMI platform device, which won't be initialized yet.
The real trouble is that hard-coded devices aren't created with
any device, and the fixup is done later. So do it right, create the
hard-coded devices as normal platform devices.
This required adding some new resource types to the IPMI platform
code for passing information required by the hard-coded device
and adding some code to remove the hard-coded platform devices
on module removal.
To enforce the "hard-coded devices passed by the user take priority
over firmware devices" rule, some special code was added to check
and see if a hard-coded device already exists.
Reported-by: Yang Yingliang <yangyingliang@huawei.com>
Cc: stable@vger.kernel.org # v4.15+
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Tested-by: Yang Yingliang <yangyingliang@huawei.com>
|
|
The code to tell the lower layer to enable or disable watching for
certain things was lazy in disabling, it waited until a timer tick
to see if a disable was necessary. Not a really big deal, but it
could be improved.
Modify the code to enable and disable watching immediately and don't
do it from the background timer any more.
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Tested-by: Kamlakant Patel <kamlakant.patel@cavium.com>
|
|
The IPMI driver has a mechanism to tell the lower layers it needs
to watch for messages, commands, and watchdogs (so it doesn't
needlessly poll). However, it needed some extensions, it needed
a way to tell what is being waited for so it could set the timeout
appropriately.
The update to the lower layer was also being done once a second
at best because it was done in the main timeout handler. However,
if a command is sent and a response message is coming back,
it needed to be started immediately. So modify the code to
update immediately if it needs to be enabled. Disable is still
lazy.
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Tested-by: Kamlakant Patel <kamlakant.patel@cavium.com>
|
|
When we excute the following commands, we got oops
rmmod ipmi_si
cat /proc/ioports
[ 1623.482380] Unable to handle kernel paging request at virtual address ffff00000901d478
[ 1623.482382] Mem abort info:
[ 1623.482383] ESR = 0x96000007
[ 1623.482385] Exception class = DABT (current EL), IL = 32 bits
[ 1623.482386] SET = 0, FnV = 0
[ 1623.482387] EA = 0, S1PTW = 0
[ 1623.482388] Data abort info:
[ 1623.482389] ISV = 0, ISS = 0x00000007
[ 1623.482390] CM = 0, WnR = 0
[ 1623.482393] swapper pgtable: 4k pages, 48-bit VAs, pgdp = 00000000d7d94a66
[ 1623.482395] [ffff00000901d478] pgd=000000dffbfff003, pud=000000dffbffe003, pmd=0000003f5d06e003, pte=0000000000000000
[ 1623.482399] Internal error: Oops: 96000007 [#1] SMP
[ 1623.487407] Modules linked in: ipmi_si(E) nls_utf8 isofs rpcrdma ib_iser ib_srpt target_core_mod ib_srp scsi_transport_srp ib_ipoib rdma_ucm ib_umad rdma_cm ib_cm dm_mirror dm_region_hash dm_log iw_cm dm_mod aes_ce_blk crypto_simd cryptd aes_ce_cipher ses ghash_ce sha2_ce enclosure sha256_arm64 sg sha1_ce hisi_sas_v2_hw hibmc_drm sbsa_gwdt hisi_sas_main ip_tables mlx5_ib ib_uverbs marvell ib_core mlx5_core ixgbe mdio hns_dsaf ipmi_devintf hns_enet_drv ipmi_msghandler hns_mdio [last unloaded: ipmi_si]
[ 1623.532410] CPU: 30 PID: 11438 Comm: cat Kdump: loaded Tainted: G E 5.0.0-rc3+ #168
[ 1623.541498] Hardware name: Huawei TaiShan 2280 /BC11SPCD, BIOS 1.37 11/21/2017
[ 1623.548822] pstate: a0000005 (NzCv daif -PAN -UAO)
[ 1623.553684] pc : string+0x28/0x98
[ 1623.557040] lr : vsnprintf+0x368/0x5e8
[ 1623.560837] sp : ffff000013213a80
[ 1623.564191] x29: ffff000013213a80 x28: ffff00001138abb5
[ 1623.569577] x27: ffff000013213c18 x26: ffff805f67d06049
[ 1623.574963] x25: 0000000000000000 x24: ffff00001138abb5
[ 1623.580349] x23: 0000000000000fb7 x22: ffff0000117ed000
[ 1623.585734] x21: ffff000011188fd8 x20: ffff805f67d07000
[ 1623.591119] x19: ffff805f67d06061 x18: ffffffffffffffff
[ 1623.596505] x17: 0000000000000200 x16: 0000000000000000
[ 1623.601890] x15: ffff0000117ed748 x14: ffff805f67d07000
[ 1623.607276] x13: ffff805f67d0605e x12: 0000000000000000
[ 1623.612661] x11: 0000000000000000 x10: 0000000000000000
[ 1623.618046] x9 : 0000000000000000 x8 : 000000000000000f
[ 1623.623432] x7 : ffff805f67d06061 x6 : fffffffffffffffe
[ 1623.628817] x5 : 0000000000000012 x4 : ffff00000901d478
[ 1623.634203] x3 : ffff0a00ffffff04 x2 : ffff805f67d07000
[ 1623.639588] x1 : ffff805f67d07000 x0 : ffffffffffffffff
[ 1623.644974] Process cat (pid: 11438, stack limit = 0x000000008d4cbc10)
[ 1623.651592] Call trace:
[ 1623.654068] string+0x28/0x98
[ 1623.657071] vsnprintf+0x368/0x5e8
[ 1623.660517] seq_vprintf+0x70/0x98
[ 1623.668009] seq_printf+0x7c/0xa0
[ 1623.675530] r_show+0xc8/0xf8
[ 1623.682558] seq_read+0x330/0x440
[ 1623.689877] proc_reg_read+0x78/0xd0
[ 1623.697346] __vfs_read+0x60/0x1a0
[ 1623.704564] vfs_read+0x94/0x150
[ 1623.711339] ksys_read+0x6c/0xd8
[ 1623.717939] __arm64_sys_read+0x24/0x30
[ 1623.725077] el0_svc_common+0x120/0x148
[ 1623.732035] el0_svc_handler+0x30/0x40
[ 1623.738757] el0_svc+0x8/0xc
[ 1623.744520] Code: d1000406 aa0103e2 54000149 b4000080 (39400085)
[ 1623.753441] ---[ end trace f91b6a4937de9835 ]---
[ 1623.760871] Kernel panic - not syncing: Fatal exception
[ 1623.768935] SMP: stopping secondary CPUs
[ 1623.775718] Kernel Offset: disabled
[ 1623.781998] CPU features: 0x002,21006008
[ 1623.788777] Memory Limit: none
[ 1623.798329] Starting crashdump kernel...
[ 1623.805202] Bye!
If io_setup is called successful in try_smi_init() but try_smi_init()
goes out_err before calling ipmi_register_smi(), so ipmi_unregister_smi()
will not be called while removing module. It leads to the resource that
allocated in io_setup() can not be freed, but the name(DEVICE_NAME) of
resource is freed while removing the module. It causes use-after-free
when cat /proc/ioports.
Fix this by calling io_cleanup() while try_smi_init() goes to out_err.
and don't call io_cleanup() until io_setup() returns successful to avoid
warning prints.
Fixes: 93c303d2045b ("ipmi_si: Clean up shutdown a bit")
Cc: stable@vger.kernel.org
Reported-by: NuoHan Qiao <qiaonuohan@huawei.com>
Suggested-by: Corey Minyard <cminyard@mvista.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
|
|
Now that synchronize_rcu() waits for preempt-disable regions of code
as well as RCU read-side critical sections, synchronize_sched() can be
replaced by synchronize_rcu(). This commit therefore makes this change.
Signed-off-by: Paul E. McKenney <paulmck@linux.ibm.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: <openipmi-developer@lists.sourceforge.net>
Acked-by: Corey Minyard <cminyard@mvista.com>
|
|
getnstimeofday64() is deprecated because of the inconsistent naming,
it is only a wrapper around ktime_get_real_ts64() now, which could be
used as a direct replacement.
However, it is generally better to use CLOCK_MONOTONIC timestamps
where possible, to avoid glitches with a concurrent settimeofday()
or leap second.
The uses in ipmi are either for debugging prints or for comparing against
a prior timestamp, so using a monotonic ktime_get_ts64() is probably
best here.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
|
|
Add and use #define pr_fmt/dev_fmt, and remove #define PFX
This also prefixes some messages that were not previously prefixed.
Miscellanea:
o Convert printk(KERN_<level> to pr_<level>(
o Use %s, __func__ where appropriate
Signed-off-by: Joe Perches <joe@perches.com>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
|
|
There were certain situations where ipmi_register_smi() would
return a failure, but the interface would still be registered
and would need to be unregistered. This is obviously a bad
design and resulted in an oops in certain failure cases.
If the interface is started up in ipmi_register_smi(), then
an error occurs, shut down the interface there so the
cleanup can be done properly.
Fix the various smi users, too.
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Reported-by: Justin Ernst <justin.ernst@hpe.com>
Tested-by: Justin Ernst <justin.ernst@hpe.com>
Cc: Andrew Banman <abanman@hpe.com>
Cc: Russ Anderson <russ.anderson@hpe.com>
Cc: <stable@vger.kernel.org> # 4.18.x
|
|
Commit 93c303d2045b3 "ipmi_si: Clean up shutdown a bit" didn't
copy the behavior of the cleanup in one spot, it needed to
check for a non-NULL interface before cleaning it up.
Reported-by: Meelis Roos <mroos@linux.ee>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Tested-by: Meelis Roos <mroos@linux.ee>
|
|
It has been deprecated long enough, get rid of it.
Signed-off-by: Corey Minyard <cminyard@mvista.com>
|
|
Signed-off-by: Corey Minyard <cminyard@mvista.com>
|
|
There is already an intf_num in the main IPMI device structure, use
a different name in the ipmi_si code to avoid confusion.
Signed-off-by: Corey Minyard <cminyard@mvista.com>
|
|
Due to changes in the way shutdown is done, it is no longer
required to check that the interface is set.
Signed-off-by: Corey Minyard <cminyard@mvista.com>
|
|
Signed-off-by: Corey Minyard <cminyard@mvista.com>
|
|
Move the shutdown handling to a shutdown function called from
the IPMI core code. That makes for a cleaner shutdown.
Signed-off-by: Corey Minyard <cminyard@mvista.com>
|
|
Get rid of this coding style violation in the user files. Include
files will come later.
Signed-off-by: Corey Minyard <cminyard@mvista.com>
|
|
If platform_device_alloc() then we should return -ENOMEM instead of
returning success.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
|
|
The cleanup code for an init failure and for a device removal were
quite similar, consolidate all that into one function.
Signed-off-by: Corey Minyard <cminyard@mvista.com>
|
|
The data is allocated with kzalloc, no need to set things to NULL.
Signed-off-by: Corey Minyard <cminyard@mvista.com>
|
|
device_remove_group() was called on any cleanup, even if the
device attrs had not been added yet. That can occur in certain
error scenarios, so add a flag to know if it has been added.
Also make sure we remove the dev if we added it ourselves.
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Cc: stable@vger.kernel.org # 4.15
Cc: Laura Abbott <labbott@redhat.com>
Tested-by: Bill Perkins <wmp@grnwood.net>
|
|
And get rid of the license text that is no longer necessary.
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Alistair Popple <alistair@popple.id.au>
Cc: Jeremy Kerr <jk@ozlabs.org>
Cc: Joel Stanley <joel@jms.id.au>
Cc: Rocky Craig <rocky.craig@hp.com>
|
|
During code inspection, I found an use-after-free possibility during unloading
ipmi_si in the polling mode.
If start_new_msg() is called after kthread_stop(), the function will try to
wake up non-existing kthread using the dangling pointer.
Possible scenario is when a new internal message is generated after
ipmi_unregister_smi()[*1] and remains after stop_timer_and_thread()
in clenaup_one_si() [*2].
Use-after-free could occur as follows depending on BMC replies.
cleanup_one_si
=> ipmi_unregister_smi
[*1]
=> stop_timer_and_thread
=> kthread_stop(smi_info->thread)
[*2]
=> poll
=> smi_event_handler
=> start_new_msg
=> if (smi_info->thread)
wake_up_process(smi_info->thread) <== use-after-free!!
Although currently it seems no such message is generated in the polling mode,
some changes might introduce that in thefuture. For example in the interrupt
mode, disable_si_irq() does that at [*2].
So let's prevent such a critical issue possibility now.
Signed-off-by: Yamazaki Masamitsu <m-yamazaki@ah.jp.nec.com>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
|
|
Cleanup of platform devices created by the IPMI driver was not
being done correctly and could result in a memory leak. So
create a local boolean to know how to clean up those platform
devices.
Reported-by: David Binderman <dcb314@hotmail.com>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
|
