of_parse_phandle() returns a node pointer with refcount
incremented, we should use of_node_put() on it when done.
Add missing of_node_put() to avoid refcount leak.
Fixes: 00d93611f0 ("ipmi:ipmb: Add the ability to have a separate slave and master device")
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Message-Id: <20220512044445.3102-1-linmq006@gmail.com>
Cc: stable@vger.kernel.org # v5.17+
Signed-off-by: Corey Minyard <cminyard@mvista.com>
There were two identical logs in two different places, so you couldn't
tell which one was being logged. Make them unique.
Signed-off-by: Corey Minyard <cminyard@mvista.com>
The was it was wouldn't work in some situations, simplify it. What was
there was unnecessary complexity.
Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Don't hand-initialize the struct here, create a macro to initialize it
so new fields added don't get forgotten in places.
Signed-off-by: Corey Minyard <cminyard@mvista.com>
There was a "type" element added to this structure, but some static
values were missed. The default value will be zero, which is correct,
but create an initializer for the type and initialize the type properly
in the initializer to avoid future issues.
Reported-by: Joe Wiese <jwiese@rackspace.com>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Even though it's not possible to get into the SSIF_GETTING_MESSAGES and
SSIF_GETTING_EVENTS states without a valid message in the msg field,
it's probably best to be defensive here and check and print a log, since
that means something else went wrong.
Also add a default clause to that switch statement to release the lock
and print a log, in case the state variable gets messed up somehow.
Reported-by: Haowen Bai <baihaowen@meizu.com>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
The i2c probe functions here don't use the id information provided in
their second argument, so the single-parameter i2c probe function
("probe_new") can be used instead.
This avoids scanning the identifier tables during probes.
Signed-off-by: Stephen Kitt <steve@sk2.org>
Message-Id: <20220324171159.544565-1-steve@sk2.org>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Reviewed-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Go through each user and add its message count to a total and print the
total.
It would be nice to have a per-user file, but there's no user sysfs
entity at this point to hang it off of. Probably not worth the effort.
Based on work by Chen Guanqiao <chen.chenchacha@foxmail.com>
Cc: Chen Guanqiao <chen.chenchacha@foxmail.com>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
A count of users is kept for each interface, allow it to be viewed.
Based on work by Chen Guanqiao <chen.chenchacha@foxmail.com>
Cc: Chen Guanqiao <chen.chenchacha@foxmail.com>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
This way a rogue application can't use up a bunch of memory.
Based on work by Chen Guanqiao <chen.chenchacha@foxmail.com>
Cc: Chen Guanqiao <chen.chenchacha@foxmail.com>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Each user uses memory, we need limits to avoid a rogue program from
running the system out of memory.
Based on work by Chen Guanqiao <chen.chenchacha@foxmail.com>
Cc: Chen Guanqiao <chen.chenchacha@foxmail.com>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
KASAN report null-ptr-deref as follows:
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:ipmi_unregister_smi+0x7d/0xd50 drivers/char/ipmi/ipmi_msghandler.c:3680
Call Trace:
ipmi_ipmb_remove+0x138/0x1a0 drivers/char/ipmi/ipmi_ipmb.c:443
ipmi_ipmb_probe+0x409/0xda1 drivers/char/ipmi/ipmi_ipmb.c:548
i2c_device_probe+0x959/0xac0 drivers/i2c/i2c-core-base.c:563
really_probe+0x3f3/0xa70 drivers/base/dd.c:541
In ipmi_ipmb_probe(), 'iidev->intf' is not set before
ipmi_register_smi() success. And in the error handling case,
ipmi_ipmb_remove() is called to release resources, ipmi_unregister_smi()
is called without check 'iidev->intf', this will cause KASAN
null-ptr-deref issue.
General kernel style is to allow NULL to be passed into unregister
calls, so fix it that way. This allows a NULL check to be removed in
other code.
Fixes: 57c9e3c9a3 ("ipmi:ipmi_ipmb: Unregister the SMI on remove")
Reported-by: Hulk Robot <hulkci@huawei.com>
Cc: stable@vger.kernel.org # v5.17+
Cc: Wei Yongjun <weiyongjun1@huawei.com>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
A chunk was dropped when the code handling send messages was rewritten.
Those messages shouldn't be processed normally, they are just an
indication that the message was successfully sent and the timers should
be started for the real response that should be coming later.
Add back in the missing chunk to just discard the message and go on.
Fixes: 059747c245 ("ipmi: Add support for IPMB direct messages")
Reported-by: Joe Wiese <jwiese@rackspace.com>
Cc: stable@vger.kernel.org # v5.16+
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Tested-by: Joe Wiese <jwiese@rackspace.com>
Clang static analysis reports this issue
ipmi_ssif.c:1731:3: warning: 4th function call
argument is an uninitialized value
dev_info(&ssif_info->client->dev,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The 4th parameter is the 'len' variable.
len is only set by a successful call to do_cmd().
Initialize to len 0.
Signed-off-by: Tom Rix <trix@redhat.com>
Message-Id: <20220320135954.2258545-1-trix@redhat.com>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
It's been a few releases since we depreciated the "v1" bindings. Remove
support from the driver as all known device trees have been updated to
use the new bindings.
Signed-off-by: Joel Stanley <joel@jms.id.au>
Message-Id: <20220228062840.449215-1-joel@jms.id.au>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
A situation has come up where there is a slave-only device for the slave
and a separate master device on the same bug. Allow a separate slave
device to be registered.
Signed-off-by: Corey Minyard <minyard@acm.org>
The AST2600 is already described in the bindings, but the driver never
gained a compatible string.
Signed-off-by: Joel Stanley <joel@jms.id.au>
Message-Id: <20220221070351.121905-1-joel@jms.id.au>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
The strlcpy should not be used because it doesn't limit the source
length. So that it will lead some potential bugs.
But the strscpy doesn't require reading memory from the src string
beyond the specified "count" bytes, and since the return value is
easier to error-check than strlcpy()'s. In addition, the implementation
is robust to the string changing out from underneath it, unlike the
current strlcpy() implementation.
Thus, replace strlcpy with strscpy.
Signed-off-by: Jason Wang <wangborong@cdjrlc.com>
Message-Id: <20211222032707.1912186-1-wangborong@cdjrlc.com>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
ident is not modified and can be made const to allow the compiler to put
it in read-only memory.
Signed-off-by: Rikard Falkeborn <rikard.falkeborn@gmail.com>
Message-Id: <20211128220154.32927-1-rikard.falkeborn@gmail.com>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
If the workqueue allocation fails, the driver is marked as not initialized,
and timer and panic_notifier will be left registered.
Instead of removing those when workqueue allocation fails, do the workqueue
initialization before doing it, and cleanup srcu_struct if it fails.
Fixes: 1d49eb91e8 ("ipmi: Move remove_work to dedicated workqueue")
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Cc: Corey Minyard <cminyard@mvista.com>
Cc: Ioanna Alifieraki <ioanna-maria.alifieraki@canonical.com>
Cc: stable@vger.kernel.org
Message-Id: <20211217154410.1228673-2-cascardo@canonical.com>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
In case, init_srcu_struct fails (because of memory allocation failure), we
might proceed with the driver initialization despite srcu_struct not being
entirely initialized.
Fixes: 913a89f009 ("ipmi: Don't initialize anything in the core until something uses it")
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Cc: Corey Minyard <cminyard@mvista.com>
Cc: stable@vger.kernel.org
Message-Id: <20211217154410.1228673-1-cascardo@canonical.com>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
During probe ssif_info->client is dereferenced in error path. However,
it is set when some of the error checking has already been done. This
causes following kernel crash if an error path is taken:
[ 30.645593][ T674] ipmi_ssif 0-000e: ipmi_ssif: Not probing, Interface already present
[ 30.657616][ T674] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000088
...
[ 30.657723][ T674] pc : __dev_printk+0x28/0xa0
[ 30.657732][ T674] lr : _dev_err+0x7c/0xa0
...
[ 30.657772][ T674] Call trace:
[ 30.657775][ T674] __dev_printk+0x28/0xa0
[ 30.657778][ T674] _dev_err+0x7c/0xa0
[ 30.657781][ T674] ssif_probe+0x548/0x900 [ipmi_ssif 62ce4b08badc1458fd896206d9ef69a3c31f3d3e]
[ 30.657791][ T674] i2c_device_probe+0x37c/0x3c0
...
Initialize ssif_info->client before any error path can be taken. Clear
i2c_client data in the error path to prevent the dangling pointer from
leaking.
Fixes: c4436c9149 ("ipmi_ssif: avoid registering duplicate ssif interface")
Cc: stable@vger.kernel.org # 5.4.x
Suggested-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Mian Yousaf Kaukab <ykaukab@suse.de>
Message-Id: <20211208093239.4432-1-ykaukab@suse.de>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
More missed changes, the response back to another system sending a
command that had no user to handle it wasn't formatted properly.
Signed-off-by: Corey Minyard <cminyard@mvista.com>
A couple of issues:
The tested data sizes are wrong; during the design that changed and this
got missed.
The formatting of the reponse couldn't use the normal one, it has to be
an IPMB formatted response.
Reported-by: Jakub Kicinski <kuba@kernel.org>
Fixes: 059747c245 ("ipmi: Add support for IPMB direct messages")
Signed-off-by: Corey Minyard <cminyard@mvista.com>
We're hitting OOB accesses in handle_ipmb_direct_rcv_rsp() (memcpy of
size -1) after user space generates a message. Looks like the message
is incorrectly assumed to be of the new IPMB type, because type is never
set and message is allocated with kmalloc() not kzalloc().
Fixes: 059747c245 ("ipmi: Add support for IPMB direct messages")
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Message-Id: <20211124210323.1950976-1-kuba@kernel.org>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
The sparse tool complains as follows:
drivers/char/ipmi/ipmi_msghandler.c:194:25: warning:
symbol 'remove_work_wq' was not declared. Should it be static?
This symbol is not used outside of ipmi_msghandler.c, so
marks it static.
Fixes: 1d49eb91e8 ("ipmi: Move remove_work to dedicated workqueue")
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
Message-Id: <20211123083618.2366808-1-weiyongjun1@huawei.com>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Currently when removing an ipmi_user the removal is deferred as a work on
the system's workqueue. Although this guarantees the free operation will
occur in non atomic context, it can race with the ipmi_msghandler module
removal (see [1]) . In case a remove_user work is scheduled for removal
and shortly after ipmi_msghandler module is removed we can end up in a
situation where the module is removed fist and when the work is executed
the system crashes with :
BUG: unable to handle page fault for address: ffffffffc05c3450
PF: supervisor instruction fetch in kernel mode
PF: error_code(0x0010) - not-present page
because the pages of the module are gone. In cleanup_ipmi() there is no
easy way to detect if there are any pending works to flush them before
removing the module. This patch creates a separate workqueue and schedules
the remove_work works on it. When removing the module the workqueue is
drained when destroyed to avoid the race.
[1] https://bugs.launchpad.net/bugs/1950666
Cc: stable@vger.kernel.org # 5.1
Fixes: 3b9a907223 (ipmi: fix sleep-in-atomic in free_user at cleanup SRCU user->release_barrier)
Signed-off-by: Ioanna Alifieraki <ioanna-maria.alifieraki@canonical.com>
Message-Id: <20211115131645.25116-1-ioanna-maria.alifieraki@canonical.com>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
In the unlikely event where 'devm_kzalloc()' fails and 'kzalloc()'
succeeds, 'port' would be leaking.
Test each allocation separately to avoid the leak.
Fixes: 3a3d2f6a4c ("ipmi: kcs_bmc: Add serio adaptor")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Message-Id: <ecbfa15e94e64f4b878ecab1541ea46c74807670.1631048724.git.christophe.jaillet@wanadoo.fr>
Reviewed-by: Andrew Jeffery <andrew@aj.id.au>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
coccicheck complains about the use of snprintf() in sysfs show
functions:
WARNING use scnprintf or sprintf
Use sysfs_emit instead of scnprintf, snprintf or sprintf makes more
sense.
Reported-by: Zeal Robot <zealci@zte.com.cn>
Signed-off-by: Ye Guojin <ye.guojin@zte.com.cn>
Message-Id: <20211021110608.1060260-1-ye.guojin@zte.com.cn>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
When CONFIG_I2C=m, CONFIG_I2C_SLAVE=y (bool), and CONFIG_IPMI_IPMB=y,
the build fails with:
ld: drivers/char/ipmi/ipmi_ipmb.o: in function `ipmi_ipmb_remove':
ipmi_ipmb.c:(.text+0x6b): undefined reference to `i2c_slave_unregister'
ld: drivers/char/ipmi/ipmi_ipmb.o: in function `ipmi_ipmb_thread':
ipmi_ipmb.c:(.text+0x2a4): undefined reference to `i2c_transfer'
ld: drivers/char/ipmi/ipmi_ipmb.o: in function `ipmi_ipmb_probe':
ipmi_ipmb.c:(.text+0x646): undefined reference to `i2c_slave_register'
ld: drivers/char/ipmi/ipmi_ipmb.o: in function `ipmi_ipmb_driver_init':
ipmi_ipmb.c:(.init.text+0xa): undefined reference to `i2c_register_driver'
ld: drivers/char/ipmi/ipmi_ipmb.o: in function `ipmi_ipmb_driver_exit':
ipmi_ipmb.c:(.exit.text+0x8): undefined reference to `i2c_del_driver'
This is due to having a tristate depending on a bool symbol.
By adding I2C (tristate) as a dependency, the desired dependencies
are met, causing IPMI_IPMB to be changed from =y to =m:
-CONFIG_IPMI_IPMB=y
+CONFIG_IPMI_IPMB=m
Fixes: 63c4eb3471 ("ipmi:ipmb: Add initial support for IPMI over IPMB")
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Cc: Corey Minyard <minyard@acm.org>
Cc: openipmi-developer@lists.sourceforge.net
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Message-Id: <20211012204416.23108-1-rdunlap@infradead.org>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Add direct OF support for fetching control parameters from the device
tree. Make it work like the device tree entries for the other IPMI
devices. Also add documentation for this.
Signed-off-by: Corey Minyard <cminyard@mvista.com>
The AST2600 has the same register set as the previous generation SoCs.
Signed-off-by: Joel Stanley <joel@jms.id.au>
Acked-by: Rob Herring <robh@kernel.org>
Message-Id: <20210903015314.177987-1-joel@jms.id.au>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
This driver was originally written to use the regmap abstraction with no
clear benefit. As the registers are always mmio and there is no sharing
of the region with other devices, we can safely read and write without
the locking that regmap provides.
This reduces the code size of the driver by about 25%.
Signed-off-by: Joel Stanley <joel@jms.id.au>
Message-Id: <20210903051039.307991-1-joel@jms.id.au>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
There is an off-by-one bounds check on the rcvlen causing a potential
out of bounds write on iidev->rcvmsg. Fix this by using the >= operator
on the bounds check rather than the > operator.
Addresses-Coverity: ("Out-of-bounds write")
Fixes: 0ba0c3c5d1c1 ("ipmi:ipmb: Add initial support for IPMI over IPMB")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Message-Id: <20211005151611.305383-1-colin.king@canonical.com>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
This provides access to the management controllers on an IPMB bus to a
device sitting on the IPMB bus. It also provides slave capability to
respond to received messages on the bus.
Signed-off-by: Corey Minyard <minyard@acm.org>
Tested-by: Andrew Manley <andrew.manley@sealingtech.com>
Reviewed-by: Andrew Manley <andrew.manley@sealingtech.com>
An application has come up that has a device sitting right on the IPMB
that would like to communicate with the BMC on the IPMB using normal
IPMI commands.
Sending these commands and handling the responses is easy enough, no
modifications are needed to the IPMI infrastructure. But if this is an
application that also needs to receive IPMB commands and respond, some
way is needed to handle these incoming commands and send the responses.
Currently, the IPMI message handler only sends commands to the interface
and only receives responses from interface. This change extends the
interface to receive commands/responses and send commands/responses.
These are formatted differently in support of receiving/sending IPMB
messages directly.
Signed-off-by: Corey Minyard <minyard@acm.org>
Tested-by: Andrew Manley <andrew.manley@sealingtech.com>
Reviewed-by: Andrew Manley <andrew.manley@sealingtech.com>
It will be needed by the upcoming ipmb direct addressing.
Signed-off-by: Corey Minyard <minyard@acm.org>
Tested-by: Andrew Manley <andrew.manley@sealingtech.com>
Reviewed-by: Andrew Manley <andrew.manley@sealingtech.com>
Don't do kfree or other risky things when oops_in_progress is set.
It's easy enough to avoid doing them
Signed-off-by: Corey Minyard <cminyard@mvista.com>
You will get two decrements when the messages on a panic are sent, not
one, since commit 2033f68589 ("ipmi: Free receive messages when in an
oops") was added, but the watchdog code had a bug where it didn't set
the value properly.
Reported-by: Anton Lundin <glance@acc.umu.se>
Cc: <Stable@vger.kernel.org> # v5.4+
Fixes: 2033f68589 ("ipmi: Free receive messages when in an oops")
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Nothing bug, but probably needs to go in.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEE/Q1c5nzg9ZpmiCaGYfOMkJGb/4EFAmE6eAgACgkQYfOMkJGb
/4F1GA/+JnhnEtTOfnZktOfCMH2KecJtshGWG8s8no8dx1TqZWQZHIrVOKwOTqfG
YKUBWBZ7ip4yqPMzsWX2JztTE5njmmby6K3nOrrt0GNThv6i9m3NTF5a249sYdXh
JjWCwcasRQw/yEFCHSWh7/k9YztdxaZEo+HBGxYL0AC7QEqIe8kiqmXD+UpfxHVu
053NiIAe1Owg/b3mvebGzP6iKP3/nvrrdcBzL7mCCq4Vln/GEOUwIlLqRYBwcFyZ
+ssyGyV18BhOLP2pF/i+FttyUvB/k/ypdHy0ODxdy0DnYpZ0m+r/DjLk2PGyiPMI
1JZO5tyGHuzQHkhwl0dvB5C9c6WQVSxAIlUCHhYXjFibi2RrU1CpwoYulnAUPIKu
ppuoiNpZ3s81m6i1SB3t3yDeQGfZ2OYWosCGjd4uO6NNlpXGUd8yqOeWgBl8F3QD
E6xNQQF3aKwvySL+MGMLnIIxzMaYOj+H/4/CefRYPi+vxwF+YVi2PAwDtdRuVc/z
to0eowHSTHWlTSY34sHMXZL9omqPwlIyIuZpgCVJicx0UIEdCfY3qQeZWWDC0uoQ
FfWMkYrUJQyxOnJlsgWIpaX7EhHmUoUxYW1QhvyiZ8Ez7gc0dYFAfUgq56TXPVNp
9WOirJR0lHKBovljMlcBbtlNW7qBww8Z8YbRQrfrZ4OHx1U2xj0=
=BmmZ
-----END PGP SIGNATURE-----
Merge tag 'for-linus-5.15-1' of git://github.com/cminyard/linux-ipmi
Pull IPMI updates from Corey Minyard:
"A couple of very minor fixes for style and rate limiting.
Nothing big, but probably needs to go in"
* tag 'for-linus-5.15-1' of git://github.com/cminyard/linux-ipmi:
char: ipmi: use DEVICE_ATTR helper macro
ipmi: rate limit ipmi smi_event failure message
The caller of this function (parisc_driver_remove() in
arch/parisc/kernel/drivers.c) ignores the return value, so better don't
return any value at all to not wake wrong expectations in driver authors.
The only function that could return a non-zero value before was
ipmi_parisc_remove() which returns the return value of
ipmi_si_remove_by_dev(). Make this function return void, too, as for all
other callers the value is ignored, too.
Also fold in a small checkpatch fix for:
WARNING: Unnecessary space before function pointer arguments
+ void (*remove) (struct parisc_device *dev);
Acked-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> (for drivers/input)
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Acked-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Acked-by: Jiri Slaby <jirislaby@kernel.org>
Signed-off-by: Helge Deller <deller@gmx.de>
Instead of open coding DEVICE_ATTR, use the helper macro
DEVICE_ATTR_RO to replace DEVICE_ATTR with 0444 octal
permissions.
This was detected as a part of checkpatch evaluation
investigating all reports of DEVICE_ATTR_RO warning
type.
Signed-off-by: Dwaipayan Ray <dwaipayanray1@gmail.com>
Message-Id: <20210730062951.84876-1-dwaipayanray1@gmail.com>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
