From: Corey Minyard <corey@minyard.net>
To: stable@vger.kernel.org
Cc: Guenter Roeck <linux@roeck-us.net>,
Eric Dumazet <edumazet@google.com>,
Greg Thelen <gthelen@google.com>,
Corey Minyard <corey@minyard.net>
Subject: [PATCH 6.1.y 2/2] ipmi: Fix handling of messages with provided receive message pointer
Date: Thu, 16 Oct 2025 13:50:58 -0500 [thread overview]
Message-ID: <20251016185058.1876213-2-corey@minyard.net> (raw)
In-Reply-To: <20251016185058.1876213-1-corey@minyard.net>
From: Guenter Roeck <linux@roeck-us.net>
commit e2c69490dda5d4c9f1bfbb2898989c8f3530e354 upstream
Prior to commit b52da4054ee0 ("ipmi: Rework user message limit handling"),
i_ipmi_request() used to increase the user reference counter if the receive
message is provided by the caller of IPMI API functions. This is no longer
the case. However, ipmi_free_recv_msg() is still called and decreases the
reference counter. This results in the reference counter reaching zero,
the user data pointer is released, and all kinds of interesting crashes are
seen.
Fix the problem by increasing user reference counter if the receive message
has been provided by the caller.
Fixes: b52da4054ee0 ("ipmi: Rework user message limit handling")
Reported-by: Eric Dumazet <edumazet@google.com>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Greg Thelen <gthelen@google.com>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Message-ID: <20251006201857.3433837-1-linux@roeck-us.net>
Signed-off-by: Corey Minyard <corey@minyard.net>
---
drivers/char/ipmi/ipmi_msghandler.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c
index 12db7d05c010..a475d0bd2685 100644
--- a/drivers/char/ipmi/ipmi_msghandler.c
+++ b/drivers/char/ipmi/ipmi_msghandler.c
@@ -2311,8 +2311,11 @@ static int i_ipmi_request(struct ipmi_user *user,
if (supplied_recv) {
recv_msg = supplied_recv;
recv_msg->user = user;
- if (user)
+ if (user) {
atomic_inc(&user->nr_msgs);
+ /* The put happens when the message is freed. */
+ kref_get(&user->refcount);
+ }
} else {
recv_msg = ipmi_alloc_recv_msg(user);
if (IS_ERR(recv_msg))
--
2.43.0
prev parent reply other threads:[~2025-10-16 18:51 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-16 12:38 FAILED: patch "[PATCH] ipmi: Rework user message limit handling" failed to apply to 6.1-stable tree gregkh
2025-10-16 18:50 ` [PATCH 6.1.y 1/2] ipmi: Rework user message limit handling Corey Minyard
2025-10-16 18:50 ` Corey Minyard [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251016185058.1876213-2-corey@minyard.net \
--to=corey@minyard.net \
--cc=edumazet@google.com \
--cc=gthelen@google.com \
--cc=linux@roeck-us.net \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox