From: <gregkh@linuxfoundation.org>
To: john.garry@huawei.com, cminyard@mvista.com, gregkh@linuxfoundation.org
Cc: <stable@vger.kernel.org>, <stable-commits@vger.kernel.org>
Subject: Patch "ipmi: use dynamic memory for DMI driver override" has been added to the 4.15-stable tree
Date: Thu, 15 Feb 2018 09:34:10 +0100 [thread overview]
Message-ID: <1518683650180243@kroah.com> (raw)
This is a note to let you know that I've just added the patch titled
ipmi: use dynamic memory for DMI driver override
to the 4.15-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
ipmi-use-dynamic-memory-for-dmi-driver-override.patch
and it can be found in the queue-4.15 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.
>From 5516e21a1e95e9b9f39985598431a25477d91643 Mon Sep 17 00:00:00 2001
From: John Garry <john.garry@huawei.com>
Date: Thu, 18 Jan 2018 00:36:57 +0800
Subject: ipmi: use dynamic memory for DMI driver override
From: John Garry <john.garry@huawei.com>
commit 5516e21a1e95e9b9f39985598431a25477d91643 upstream.
Currently a crash can be seen if we reach the "err"
label in dmi_add_platform_ipmi(), calling
platform_device_put(), like here:
[ 7.270584] (null): ipmi:dmi: Unable to add resources: -16
[ 7.330229] ------------[ cut here ]------------
[ 7.334889] kernel BUG at mm/slub.c:3894!
[ 7.338936] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
[ 7.344475] Modules linked in:
[ 7.347556] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 4.15.0-rc2-00004-gbe9cb7b-dirty #114
[ 7.355907] Hardware name: Huawei Taishan 2280 /D05, BIOS Hisilicon D05 IT17 Nemo 2.0 RC0 11/29/2017
[ 7.365137] task: 00000000c211f6d3 task.stack: 00000000f276e9af
[ 7.371116] pstate: 60000005 (nZCv daif -PAN -UAO)
[ 7.375957] pc : kfree+0x194/0x1b4
[ 7.379389] lr : platform_device_release+0xcc/0xd8
[ 7.384225] sp : ffff0000092dba90
[ 7.387567] x29: ffff0000092dba90 x28: ffff000008a83000
[ 7.392933] x27: ffff0000092dbc10 x26: 00000000000000e6
[ 7.398297] x25: 0000000000000003 x24: ffff0000085b51e8
[ 7.403662] x23: 0000000000000100 x22: ffff7e0000234cc0
[ 7.409027] x21: ffff000008af3660 x20: ffff8017d21acc10
[ 7.414392] x19: ffff8017d21acc00 x18: 0000000000000002
[ 7.419757] x17: 0000000000000001 x16: 0000000000000008
[ 7.425121] x15: 0000000000000001 x14: 6666666678303d65
[ 7.430486] x13: 6469727265766f5f x12: 7265766972642e76
[ 7.435850] x11: 6564703e2d617020 x10: 6530326435373638
[ 7.441215] x9 : 3030303030303030 x8 : 3d76656420657361
[ 7.446580] x7 : ffff000008f59df8 x6 : ffff8017fbe0ea50
[ 7.451945] x5 : 0000000000000000 x4 : 0000000000000000
[ 7.457309] x3 : ffffffffffffffff x2 : 0000000000000000
[ 7.462674] x1 : 0fffc00000000800 x0 : ffff7e0000234ce0
[ 7.468039] Process swapper/0 (pid: 1, stack limit = 0x00000000f276e9af)
[ 7.474809] Call trace:
[ 7.477272] kfree+0x194/0x1b4
[ 7.480351] platform_device_release+0xcc/0xd8
[ 7.484837] device_release+0x34/0x90
[ 7.488531] kobject_put+0x70/0xcc
[ 7.491961] put_device+0x14/0x1c
[ 7.495304] platform_device_put+0x14/0x1c
[ 7.499439] dmi_add_platform_ipmi+0x348/0x3ac
[ 7.503923] scan_for_dmi_ipmi+0xfc/0x10c
[ 7.507970] do_one_initcall+0x38/0x124
[ 7.511840] kernel_init_freeable+0x188/0x228
[ 7.516238] kernel_init+0x10/0x100
[ 7.519756] ret_from_fork+0x10/0x18
[ 7.523362] Code: f94002c0 37780080 f94012c0 37000040 (d4210000)
[ 7.529552] ---[ end trace 11750e4787deef9e ]---
[ 7.534228] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b
[ 7.534228]
This is because when the device is released in
platform_device_release(), we try to free
pdev.driver_override. This is a const string, hence
the crash.
Fix by using dynamic memory for pdev->driver_override.
Signed-off-by: John Garry <john.garry@huawei.com>
[Removed the free of driver_override from ipmi_si_remove_by_dev(). The
free is done in platform_device_release(), and would result in a double
free, and ipmi_si_remove_by_dev() is called by non-platform devices.]
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/char/ipmi/ipmi_dmi.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/char/ipmi/ipmi_dmi.c
+++ b/drivers/char/ipmi/ipmi_dmi.c
@@ -106,7 +106,10 @@ static void __init dmi_add_platform_ipmi
pr_err("ipmi:dmi: Error allocation IPMI platform device\n");
return;
}
- pdev->driver_override = override;
+ pdev->driver_override = kasprintf(GFP_KERNEL, "%s",
+ override);
+ if (!pdev->driver_override)
+ goto err;
if (type == IPMI_DMI_TYPE_SSIF) {
set_prop_entry(p[pidx++], "i2c-addr", u16, base_addr);
Patches currently in stable-queue which might be from john.garry@huawei.com are
queue-4.15/ipmi-use-dynamic-memory-for-dmi-driver-override.patch
reply other threads:[~2018-02-15 8:35 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1518683650180243@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=cminyard@mvista.com \
--cc=john.garry@huawei.com \
--cc=stable-commits@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.