summaryrefslogtreecommitdiffstats
path: root/drivers/char
diff options
context:
space:
mode:
authorNeelesh Gupta <neelegup@linux.vnet.ibm.com>2015-07-16 13:16:54 +0200
committerCorey Minyard <cminyard@mvista.com>2015-09-03 22:01:55 +0200
commitcca85f19c260df495a487495479c67803b25fa8a (patch)
tree91aed5a553ea8a627ac8b60301df2ad57a10cbdf /drivers/char
parentipmi: Convert the IPMI SI ACPI handling to a platform device (diff)
downloadlinux-cca85f19c260df495a487495479c67803b25fa8a.tar.xz
linux-cca85f19c260df495a487495479c67803b25fa8a.zip
ipmi/powernv: Fix potential invalid pointer dereference
If the OPAL call to receive the ipmi message fails, then we free up the smi message and return. But, the driver still holds the reference to old smi message in the 'cur_msg' which can potentially be accessed later and freed again leading to kernel oops. To fix it up, The kernel driver should reset the 'cur_msg' and send reply to the user in addition to freeing the message. Signed-off-by: Neelesh Gupta <neelegup@linux.vnet.ibm.com> Fixed a checkpatch warning dealing with an else after a return. Signed-off-by: Corey Minyard <cminyard@mvista.com>
Diffstat (limited to 'drivers/char')
-rw-r--r--drivers/char/ipmi/ipmi_powernv.c9
1 files changed, 8 insertions, 1 deletions
diff --git a/drivers/char/ipmi/ipmi_powernv.c b/drivers/char/ipmi/ipmi_powernv.c
index 9b409c0f14f7..62c0c634280f 100644
--- a/drivers/char/ipmi/ipmi_powernv.c
+++ b/drivers/char/ipmi/ipmi_powernv.c
@@ -143,8 +143,15 @@ static int ipmi_powernv_recv(struct ipmi_smi_powernv *smi)
pr_devel("%s: -> %d (size %lld)\n", __func__,
rc, rc == 0 ? size : 0);
if (rc) {
+ /* If came via the poll, and response was not yet ready */
+ if (rc == OPAL_EMPTY) {
+ spin_unlock_irqrestore(&smi->msg_lock, flags);
+ return 0;
+ }
+
+ smi->cur_msg = NULL;
spin_unlock_irqrestore(&smi->msg_lock, flags);
- ipmi_free_smi_msg(msg);
+ send_error_reply(smi, msg, IPMI_ERR_UNSPECIFIED);
return 0;
}