Re: [PATCH] ipmi: Fix kernel panic at ipmi_ssif_thread()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: joechang@codeaurora.org
To: minyard@acm.org
Cc: Joeseph Chang <joechang@qti.qualcomm.com>,
	openipmi-developer@lists.sourceforge.net,
	linux-kernel@vger.kernel.org, anjiandi@qti.qualcomm.com,
	Corey Minyard <tcminyard@gmail.com>
Subject: Re: [PATCH] ipmi: Fix kernel panic at ipmi_ssif_thread()
Date: Mon, 27 Mar 2017 13:04:45 +0800	[thread overview]
Message-ID: <80838c25e081439b1bfd65acacc91684@codeaurora.org> (raw)
In-Reply-To: <6d686ff9-e94b-ddc0-cf9f-13a839acbb08@acm.org>

Hi Corey,

Thanks your feedback and suggestion. :)
I think you are right. It is better to allocate one new local variable 
to store i2c data and size that will be sent...
I create new patch in following according to your suggestion.
Could you help to review the patch again?

 From eec31f51acc7e019fd0dcc512febda86870268d2 Mon Sep 17 00:00:00 2001
 From: Joeseph Chang <joechang@codeaurora.org>
Date: Mon, 27 Mar 2017 10:46:42 +0800
Subject: [PATCH] ipmi: Fix kernel panic at ipmi_ssif_thread()

msg_written_handler() may set ssif_info->multi_data to NULL
when using ipmitool to write fru.

Fix kernel panic at ipmi_ssif_thread() and incorrect
ssif_info->multi_pos by adding one local pointer i2c_data to store i2c
data and size to send before calling ssif_i2c_send().

With this change, can avoid concurrent access to ssif_info->multi_pos 
and
ssif_info->multi_data at msg_written_handler.
Because msg_written_handler can be called at any time after 
ssif_i2c_send().
---
  drivers/char/ipmi/ipmi_ssif.c | 4 +++-
  1 file changed, 3 insertions(+), 1 deletion(-)
  mode change 100644 => 100755 drivers/char/ipmi/ipmi_ssif.c

diff --git a/drivers/char/ipmi/ipmi_ssif.c 
b/drivers/char/ipmi/ipmi_ssif.c
old mode 100644
new mode 100755
index cca6e5b..f36f018
--- a/drivers/char/ipmi/ipmi_ssif.c
+++ b/drivers/char/ipmi/ipmi_ssif.c
@@ -852,6 +852,7 @@ static void msg_written_handler(struct ssif_info 
*ssif_info, int result,
                  unsigned char *data, unsigned int len)
  {
      int rv;
+    unsigned char *i2c_data;

      /* We are single-threaded here, so no need for a lock. */
      if (result < 0) {
@@ -899,6 +900,7 @@ static void msg_written_handler(struct ssif_info 
*ssif_info, int result,
              left = 32;
          /* Length byte. */
          ssif_info->multi_data[ssif_info->multi_pos] = left;
+        i2c_data = ssif_info->multi_data + ssif_info->multi_pos;
          ssif_info->multi_pos += left;
          if (left < 32)
              /*
@@ -912,7 +914,7 @@ static void msg_written_handler(struct ssif_info 
*ssif_info, int result,
          rv = ssif_i2c_send(ssif_info, msg_written_handler,
                    I2C_SMBUS_WRITE,
                    SSIF_IPMI_MULTI_PART_REQUEST_MIDDLE,
-                  ssif_info->multi_data + ssif_info->multi_pos,
+                  i2c_data,
                    I2C_SMBUS_BLOCK_DATA);
          if (rv < 0) {
              /* request failed, just return the error. */
-- 
1.9.1


Thank you,
Joseph.

Corey Minyard 於 2017-03-25 10:53 寫到:
> This is incorrect.  These values *must* be set before ssif_i2c_send() 
> is done.
> Once ssif_i2c_send() is called, msg_written_handler can be called at 
> any
> time after that, including before where you moved the new code.
> 
> If I understand this correctly, I think you need to add a variable,
> maybe named "bytes_to_write" and do
> 
>   bytes_to_write = ssif_info->multi_data + ssif_info->multi_pos;
> 
> before the comparison and pass bytes_to_write into
> ssif_i2c_send().
> 
> Thanks,
> 
> -corey
> 
> On 03/23/2017 02:07 AM, Joeseph Chang wrote:
>> From: Joeseph Chang <joechang@codeaurora.org>
>> 
>> msg_written_handler() may set ssif_info->multi_data to NULL
>> when using ipmitool to write fru.
>> Change the ssif i2c send data sequence in msg_written_handler()
>> to fix NULL pointer kernel panic and incorrect ssif_info->multi_pos.
>> 
>> Signed-off-by: Joeseph Chang <joechang@codeaurora.org>
>> ---
>>   drivers/char/ipmi/ipmi_ssif.c | 20 +++++++++++---------
>>   1 file changed, 11 insertions(+), 9 deletions(-)
>> 
>> diff --git a/drivers/char/ipmi/ipmi_ssif.c 
>> b/drivers/char/ipmi/ipmi_ssif.c
>> index cca6e5b..39346ee 100644
>> --- a/drivers/char/ipmi/ipmi_ssif.c
>> +++ b/drivers/char/ipmi/ipmi_ssif.c
>> @@ -899,21 +899,13 @@ static void msg_written_handler(struct ssif_info 
>> *ssif_info, int result,
>>   			left = 32;
>>   		/* Length byte. */
>>   		ssif_info->multi_data[ssif_info->multi_pos] = left;
>> -		ssif_info->multi_pos += left;
>> -		if (left < 32)
>> -			/*
>> -			 * Write is finished.  Note that we must end
>> -			 * with a write of less than 32 bytes to
>> -			 * complete the transaction, even if it is
>> -			 * zero bytes.
>> -			 */
>> -			ssif_info->multi_data = NULL;
>>     		rv = ssif_i2c_send(ssif_info, msg_written_handler,
>>   				  I2C_SMBUS_WRITE,
>>   				  SSIF_IPMI_MULTI_PART_REQUEST_MIDDLE,
>>   				  ssif_info->multi_data + ssif_info->multi_pos,
>>   				  I2C_SMBUS_BLOCK_DATA);
>> +
>>   		if (rv < 0) {
>>   			/* request failed, just return the error. */
>>   			ssif_inc_stat(ssif_info, send_errors);
>> @@ -922,6 +914,16 @@ static void msg_written_handler(struct ssif_info 
>> *ssif_info, int result,
>>   				pr_info("Error from i2c_non_blocking_op(3)\n");
>>   			msg_done_handler(ssif_info, -EIO, NULL, 0);
>>   		}
>> +
>> +		ssif_info->multi_pos += left;
>> +		if (left < 32)
>> +			/*
>> +			 * Write is finished.  Note that we must end
>> +			 * with a write of less than 32 bytes to
>> +			 * complete the transaction, even if it is
>> +			 * zero bytes.
>> +			 */
>> +			ssif_info->multi_data = NULL;
>>   	} else {
>>   		/* Ready to request the result. */
>>   		unsigned long oflags, *flags;

next prev parent reply	other threads:[~2017-03-27  5:04 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-03-23  7:07 [PATCH] ipmi: Fix kernel panic at ipmi_ssif_thread() Joeseph Chang
2017-03-25  2:53 ` Corey Minyard
2017-03-27  3:02   ` Joseph Chang
2017-03-27  5:04   ` joechang [this message]
  -- strict thread matches above, loose matches on Subject: below --
2017-03-28  2:22 Joeseph Chang

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:cca6e5b dfblob:f36f018 )
 OR (
bs:"ipmi: Fix kernel panic at ipmi_ssif_thread()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=80838c25e081439b1bfd65acacc91684@codeaurora.org \
    --to=joechang@codeaurora.org \
    --cc=anjiandi@qti.qualcomm.com \
    --cc=joechang@qti.qualcomm.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=minyard@acm.org \
    --cc=openipmi-developer@lists.sourceforge.net \
    --cc=tcminyard@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.