Gh0st
/
linux
mirror of https://github.com/torvalds/linux.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
linux/drivers/char/ipmi
History
Guenter Roeck e2c69490dd ipmi: Fix handling of messages with provided receive message pointer 
Prior to commit b52da4054e ("ipmi: Rework user message limit handling"),
i_ipmi_request() used to increase the user reference counter if the receive
message is provided by the caller of IPMI API functions. This is no longer
the case. However, ipmi_free_recv_msg() is still called and decreases the
reference counter. This results in the reference counter reaching zero,
the user data pointer is released, and all kinds of interesting crashes are
seen.

Fix the problem by increasing user reference counter if the receive message
has been provided by the caller.

Fixes: b52da4054e ("ipmi: Rework user message limit handling")
Reported-by: Eric Dumazet <edumazet@google.com>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Greg Thelen <gthelen@google.com>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Message-ID: <20251006201857.3433837-1-linux@roeck-us.net>
Signed-off-by: Corey Minyard <corey@minyard.net>
 		2025-10-07 06:50:08 -05:00
..
Kconfig ipmi: Add Loongson-2K BMC support 2025-09-16 10:15:54 -05:00
Makefile ipmi: Add Loongson-2K BMC support 2025-09-16 10:15:54 -05:00
bt-bmc.c treewide, timers: Rename from_timer() to timer_container_of() 2025-06-08 09:07:37 +02:00
ipmb_dev_int.c char:ipmi: Fix a not-used variable on a non-ACPI system 2024-12-22 14:57:47 -06:00
ipmi_bt_sm.c
ipmi_devintf.c ipmi: make ipmi_destroy_user() return void 2025-01-02 21:11:52 -06:00
ipmi_dmi.c
ipmi_dmi.h
ipmi_ipmb.c ipmi: Allow an SMI sender to return an error 2025-09-08 10:21:41 -05:00
ipmi_kcs_sm.c Revert "ipmi: fix msg stack when IPMI is disconnected" 2025-09-08 10:08:25 -05:00
ipmi_msghandler.c ipmi: Fix handling of messages with provided receive message pointer 2025-10-07 06:50:08 -05:00
ipmi_plat_data.c
ipmi_plat_data.h
ipmi_powernv.c ipmi: Allow an SMI sender to return an error 2025-09-08 10:21:41 -05:00
ipmi_poweroff.c treewide: const qualify ctl_tables where applicable 2025-01-28 13:48:37 +01:00
ipmi_si.h ipmi: Add Loongson-2K BMC support 2025-09-16 10:15:54 -05:00
ipmi_si_hardcode.c
ipmi_si_hotmod.c
ipmi_si_intf.c ipmi: Add Loongson-2K BMC support 2025-09-16 10:15:54 -05:00
ipmi_si_ls2k.c ipmi: Add Loongson-2K BMC support 2025-09-16 10:15:54 -05:00
ipmi_si_mem_io.c
ipmi_si_parisc.c ipmi:si: Move SI type information into an info structure 2025-05-07 17:25:47 -05:00
ipmi_si_pci.c ipmi:si: Move SI type information into an info structure 2025-05-07 17:25:47 -05:00
ipmi_si_platform.c ipmi:si: Move SI type information into an info structure 2025-05-07 17:25:47 -05:00
ipmi_si_port_io.c
ipmi_si_sm.h
ipmi_smic_sm.c
ipmi_ssif.c ipmi: Allow an SMI sender to return an error 2025-09-08 10:21:41 -05:00
ipmi_watchdog.c ipmi: Fix strcpy source and destination the same 2025-06-13 19:06:26 -05:00
kcs_bmc.c
kcs_bmc.h
kcs_bmc_aspeed.c treewide: Switch/rename to timer_delete[_sync]() 2025-04-05 10:30:12 +02:00
kcs_bmc_cdev_ipmi.c
kcs_bmc_client.h
kcs_bmc_device.h
kcs_bmc_npcm7xx.c Get rid of 'remove_new' relic from platform driver struct 2024-12-01 15:12:43 -08:00
kcs_bmc_serio.c
ssif_bmc.c treewide, timers: Rename from_timer() to timer_container_of() 2025-06-08 09:07:37 +02:00