diff options
author | Linus Torvalds <torvalds@linux-foundation.org> | 2016-06-16 04:08:31 +0200 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2016-06-16 04:08:31 +0200 |
commit | f66c6e6a840f94ad175c76fd51dc1af2f2d63cf3 (patch) | |
tree | 5d66b5549bf663b2d84969c2aa0a56a9586dd3ac | |
parent | Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost (diff) | |
parent | ipmi: Remove smi_msg from waiting_rcv_msgs list before handle_one_recv_msg() (diff) | |
download | linux-f66c6e6a840f94ad175c76fd51dc1af2f2d63cf3.tar.xz linux-f66c6e6a840f94ad175c76fd51dc1af2f2d63cf3.zip |
Merge tag 'for-linus-4.7-2' of git://git.code.sf.net/p/openipmi/linux-ipmi
Pull ipmi bugfix from Corey Minyard:
"Fix a fairly significant ipmi list bug
This bug could cause lists to be corrupted"
* tag 'for-linus-4.7-2' of git://git.code.sf.net/p/openipmi/linux-ipmi:
ipmi: Remove smi_msg from waiting_rcv_msgs list before handle_one_recv_msg()
-rw-r--r-- | drivers/char/ipmi/ipmi_msghandler.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c index 94fb407d8561..44b1bd6baa38 100644 --- a/drivers/char/ipmi/ipmi_msghandler.c +++ b/drivers/char/ipmi/ipmi_msghandler.c @@ -3820,6 +3820,7 @@ static void handle_new_recv_msgs(ipmi_smi_t intf) while (!list_empty(&intf->waiting_rcv_msgs)) { smi_msg = list_entry(intf->waiting_rcv_msgs.next, struct ipmi_smi_msg, link); + list_del(&smi_msg->link); if (!run_to_completion) spin_unlock_irqrestore(&intf->waiting_rcv_msgs_lock, flags); @@ -3829,11 +3830,14 @@ static void handle_new_recv_msgs(ipmi_smi_t intf) if (rv > 0) { /* * To preserve message order, quit if we - * can't handle a message. + * can't handle a message. Add the message + * back at the head, this is safe because this + * tasklet is the only thing that pulls the + * messages. */ + list_add(&smi_msg->link, &intf->waiting_rcv_msgs); break; } else { - list_del(&smi_msg->link); if (rv == 0) /* Message handled */ ipmi_free_smi_msg(smi_msg); |