Re: [PATCH] ipmi/powernv: Fix potential invalid pointer dereference

[Neelesh Gupta <neelegup@linux.vnet.ibm.com>]

[-- Attachment #1: Type: text/plain, Size: 3737 bytes --]

Hi Alistair,

Thanks for the review.

On 07/28/2015 11:21 PM, Alistair Popple wrote:
> Hi Neelesh,
>
> This fix looks reasonable to me, although Jeremy would be the best person to
> comment if he has time. I wonder why we bother polling at all given that our
> event interface should call opal_ipmi_recv() whenever a message is ready?

Agree. I thought about it and didn't find any reason to have it as we 
have event
mechanism.. but didn't think of changing as it is not causing any issue..

>
> Also the firmware fix you refer to and this fix are independent of each other
> so there's no ordering issues there.

Correct. Though, there is no relation, but I figured out the skiboot 
issue after
this change.. yes, they are independent. Please find time to review the
skiboot patch.

Corey,

Please queue this patch for upstream if you Ok with it.

Thanks,
Neelesh.

>
> Reviewed-By: Alistair Popple <alistair@popple.id.au>
>
> On Tue, 28 Jul 2015 13:20:07 Neelesh Gupta wrote:
>> On 07/17/2015 02:12 PM, Neelesh Gupta wrote:
>>> Hi Corey,
>>>
>>> On 07/16/2015 08:31 PM, Corey Minyard wrote:
>>>> Ok, this looks fine.  A couple of question...
>>>>
>>>> Do I need to send this upstream right now?  How well has this been
> tested?
>>> I would want either Jeremy or Alistair to review this patch before you
>>> send this
>>> upstream. There is also firmware piece
>>> http://patchwork.ozlabs.org/patch/496645/
>>> awaiting review.
>>>
>>> In the testing front, I manually made the opal_ipmi_recv() function to
>>> fail for testing
>>> the error path and see if the driver recovers from it and subsequent
>>> ipmi commands
>>> work all good.
>> Hi Jeremy/Alistair,
>>
>> Could you please review it and the corresponding skiboot patch...
>>
>> Thanks,
>> Neelesh.
>>
>>>> Do you want this backported to 4.0 stable?
>>> Yes, I want this to be be backported to 4.0 stable.
>>>
>>> Thanks,
>>> Neelesh.
>>>
>>>> -corey
>>>>
>>>> On 07/16/2015 06:16 AM, Neelesh Gupta wrote:
>>>>> If the OPAL call to receive the ipmi message fails, then we free up the
>>>>> smi message and return. But, the driver still holds the reference to
>>>>> old smi message in the 'cur_msg' which can potentially be accessed later
>>>>> and freed again leading to kernel oops. To fix it up,
>>>>>
>>>>> The kernel driver should reset the 'cur_msg' and send reply to the user
>>>>> in addition to freeing the message.
>>>>>
>>>>> Signed-off-by: Neelesh Gupta<neelegup@linux.vnet.ibm.com>
>>>>> ---
>>>>>    drivers/char/ipmi/ipmi_powernv.c |   13 ++++++++++---
>>>>>    1 file changed, 10 insertions(+), 3 deletions(-)
>>>>>
>>>>> diff --git a/drivers/char/ipmi/ipmi_powernv.c
> b/drivers/char/ipmi/ipmi_powernv.c
>>>>> index 9b409c0..637486d 100644
>>>>> --- a/drivers/char/ipmi/ipmi_powernv.c
>>>>> +++ b/drivers/char/ipmi/ipmi_powernv.c
>>>>> @@ -143,9 +143,16 @@ static int ipmi_powernv_recv(struct
> ipmi_smi_powernv *smi)
>>>>>    	pr_devel("%s:   -> %d (size %lld)\n", __func__,
>>>>>    			rc, rc == 0 ? size : 0);
>>>>>    	if (rc) {
>>>>> -		spin_unlock_irqrestore(&smi->msg_lock, flags);
>>>>> -		ipmi_free_smi_msg(msg);
>>>>> -		return 0;
>>>>> +		/* If came via the poll, and response was not yet ready */
>>>>> +		if (rc == OPAL_EMPTY) {
>>>>> +			spin_unlock_irqrestore(&smi->msg_lock, flags);
>>>>> +			return 0;
>>>>> +		} else {
>>>>> +			smi->cur_msg = NULL;
>>>>> +			spin_unlock_irqrestore(&smi->msg_lock, flags);
>>>>> +			send_error_reply(smi, msg, IPMI_ERR_UNSPECIFIED);
>>>>> +			return 0;
>>>>> +		}
>>>>>    	}
>>>>>
>>>>>    	if (size < sizeof(*opal_msg)) {
>>>>>
>>>
>>>
>>> _______________________________________________
>>> Linuxppc-dev mailing list
>>> Linuxppc-dev@lists.ozlabs.org
>>> https://lists.ozlabs.org/listinfo/linuxppc-dev


[-- Attachment #2: Type: text/html, Size: 6133 bytes --]