[PATCH] ipmi/powernv: Fix a minor bug

[PATCH] ipmi/powernv: Fix a minor bug

[Neelesh Gupta]

If the OPAL call to receive the ipmi message fails, then we free up the smi
message before returning. But, the driver still holds the reference to old
smi message in the 'cur_msg' which is dangerous if the driver derefernces it
later and it will further block the subsequent ipmi operations. So, to fix
it up, we need to nullify 'cur_msg' in the error case.

Signed-off-by: Neelesh Gupta <neelegup@linux.vnet.ibm.com>
---
 drivers/char/ipmi/ipmi_powernv.c |    1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/char/ipmi/ipmi_powernv.c b/drivers/char/ipmi/ipmi_powernv.c
index 9b409c0..08dd38f 100644
--- a/drivers/char/ipmi/ipmi_powernv.c
+++ b/drivers/char/ipmi/ipmi_powernv.c
@@ -143,6 +143,7 @@ static int ipmi_powernv_recv(struct ipmi_smi_powernv *smi)
 	pr_devel("%s:   -> %d (size %lld)\n", __func__,
 			rc, rc == 0 ? size : 0);
 	if (rc) {
+		smi->cur_msg = NULL;
 		spin_unlock_irqrestore(&smi->msg_lock, flags);
 		ipmi_free_smi_msg(msg);
 		return 0;

Re: ipmi/powernv: Fix a minor bug

[Michael Ellerman]

On Wed, 2015-08-07 at 06:27:28 UTC, Neelesh Gupta wrote:
> If the OPAL call to receive the ipmi message fails, then we free up the smi
> message before returning. But, the driver still holds the reference to old
> smi message in the 'cur_msg' which is dangerous if the driver derefernces it
> later and it will further block the subsequent ipmi operations. 

This doesn't sound like "a minor bug" ?

What are the actual symptoms of the bug? Does it crash, always, sometimes? Does
it actually "block the subsequent ipmi operations"?

Even if this *is* a minor bug, please give it a proper subject that describes
what it does.

Also which commit introduced the bug?

And finally you don't seem to have CC'ed the ipmi maintainers?

cheers

Re: ipmi/powernv: Fix a minor bug

[Neelesh Gupta]

[-- Attachment #1: Type: text/plain, Size: 1085 bytes --]

Hi Michael,

On 07/08/2015 04:12 PM, Michael Ellerman wrote:
> On Wed, 2015-08-07 at 06:27:28 UTC, Neelesh Gupta wrote:
>> If the OPAL call to receive the ipmi message fails, then we free up the smi
>> message before returning. But, the driver still holds the reference to old
>> smi message in the 'cur_msg' which is dangerous if the driver derefernces it
>> later and it will further block the subsequent ipmi operations.
> This doesn't sound like "a minor bug" ?
>
> What are the actual symptoms of the bug? Does it crash, always, sometimes? Does
> it actually "block the subsequent ipmi operations"?

In the normal scenario, it doesn't happen.
To create the crash, I passed error code in opal call 'opal_ipmi_recv()'
I think there is more need to be done than this change. So, I will resend
the next version addressing all of your concerns.

Thanks,
Neelesh.

>
> Even if this *is* a minor bug, please give it a proper subject that describes
> what it does.
>
> Also which commit introduced the bug?
>
> And finally you don't seem to have CC'ed the ipmi maintainers?
>
> cheers
>


[-- Attachment #2: Type: text/html, Size: 1787 bytes --]