linux/drivers/char
Junichi Nomura ae4ea9a246 ipmi: Remove smi_msg from waiting_rcv_msgs list before handle_one_recv_msg()
Commit 7ea0ed2b5b ("ipmi: Make the message handler easier to use for
SMI interfaces") changed handle_new_recv_msgs() to call handle_one_recv_msg()
for a smi_msg while the smi_msg is still connected to waiting_rcv_msgs list.
That could lead to following list corruption problems:

1) low-level function treats smi_msg as not connected to list

  handle_one_recv_msg() could end up calling smi_send(), which
  assumes the msg is not connected to list.

  For example, the following sequence could corrupt list by
  doing list_add_tail() for the entry still connected to other list.

    handle_new_recv_msgs()
      msg = list_entry(waiting_rcv_msgs)
      handle_one_recv_msg(msg)
        handle_ipmb_get_msg_cmd(msg)
          smi_send(msg)
            spin_lock(xmit_msgs_lock)
            list_add_tail(msg)
            spin_unlock(xmit_msgs_lock)

2) race between multiple handle_new_recv_msgs() instances

  handle_new_recv_msgs() once releases waiting_rcv_msgs_lock before calling
  handle_one_recv_msg() then retakes the lock and list_del() it.

  If others call handle_new_recv_msgs() during the window shown below
  list_del() will be done twice for the same smi_msg.

  handle_new_recv_msgs()
    spin_lock(waiting_rcv_msgs_lock)
    msg = list_entry(waiting_rcv_msgs)
    spin_unlock(waiting_rcv_msgs_lock)
  |
  | handle_one_recv_msg(msg)
  |
    spin_lock(waiting_rcv_msgs_lock)
    list_del(msg)
    spin_unlock(waiting_rcv_msgs_lock)

Fixes: 7ea0ed2b5b ("ipmi: Make the message handler easier to use for SMI interfaces")
Signed-off-by: Jun'ichi Nomura <j-nomura@ce.jp.nec.com>
[Added a comment to describe why this works.]
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Cc: stable@vger.kernel.org # 3.19
Tested-by: Ye Feng <yefeng.yl@alibaba-inc.com>
2016-06-13 08:56:28 -05:00
..
agp Merge branch 'drm-next' of git://people.freedesktop.org/~airlied/linux 2016-03-21 13:48:00 -07:00
hw_random crypto4xx: integrate ppc4xx-rng into crypto4xx 2016-04-20 17:50:02 +08:00
ipmi ipmi: Remove smi_msg from waiting_rcv_msgs list before handle_one_recv_msg() 2016-06-13 08:56:28 -05:00
mwave drivers/char: delete non-required instances of include <linux/init.h> 2014-02-07 15:10:19 -08:00
pcmcia TTY and Serial driver update for 4.7-rc1 2016-05-20 20:57:27 -07:00
tpm tpm_tis: fix build warning with tpm_tis_resume 2016-02-26 11:32:07 +02:00
xilinx_hwicap char:xilinx_hwicap:buffer_icap - change 1/0 to true/false for bool type variable in function buffer_icap_set_configuration(). 2015-06-12 16:58:33 -07:00
xillybus char: xillybus: use devm_add_action_or_reset 2016-04-30 14:04:45 -07:00
apm-emulation.c apm-emulation: add hibernation APM events to support suspend2disk 2014-01-07 13:50:28 +01:00
applicom.c applicom: dereferencing NULL on error path 2014-05-27 17:43:12 -07:00
applicom.h
bfin-otp.c
bsr.c bsr: avoid format string leaking into device name 2014-07-09 16:59:15 -07:00
ds1302.c
ds1620.c ds1620: single_open() leak 2013-05-05 00:11:29 -04:00
dsp56k.c drivers/char/dsp56k.c: drop check for negativity of unsigned parameter 2014-07-17 18:38:37 -07:00
dtlk.c new helper: file_inode(file) 2013-02-22 23:31:31 -05:00
efirtc.c drivers/char: make efirtc.c driver explicitly non-modular 2015-09-20 19:32:35 -07:00
generic_nvram.c don't open-code generic_file_llseek_size() 2015-12-09 13:00:45 -05:00
genrtc.c rtc: single_open() leaks 2013-05-05 00:12:29 -04:00
hangcheck-timer.c hangcheck-timer: cleanup casting in hangcheck_init() 2014-11-07 11:24:01 -08:00
hpet.c hpet: Drop stale URLs 2016-02-17 09:39:56 +01:00
Kconfig char: Drop bogus dependency of DEVPORT on !M68K 2016-05-01 14:20:04 -07:00
lp.c char: Int overflow in lp_do_ioctl(). 2013-12-18 16:39:54 -08:00
Makefile hwmon: Rename i8k driver to dell-smm-hwmon and move it to hwmon tree 2015-05-24 12:48:12 -07:00
mbcs.c don't open-code generic_file_llseek_size() 2015-12-09 13:00:45 -05:00
mbcs.h
mem.c drivers: char: mem: fix IS_ERROR_VALUE usage 2016-03-05 12:19:39 -08:00
misc.c char: make misc_deregister a void function 2015-08-05 10:35:49 -07:00
mmtimer.c
mspec.c tree wide: use kvfree() than conditional kfree()/vfree() 2016-01-22 17:02:18 -08:00
nsc_gpio.c new helper: file_inode(file) 2013-02-22 23:31:31 -05:00
nvram.c char/nvram: set array of const as const 2016-02-08 14:57:30 -08:00
nwbutton.c char: nwbutton: avoid unused variable warning 2016-02-09 17:39:56 -08:00
nwbutton.h
nwflash.c new helpers: no_seek_end_llseek{,_size}() 2015-12-23 10:41:31 -05:00
pc8736x_gpio.c
ppdev.c Revert "ppdev: use new parport device model" 2016-03-25 09:02:13 -07:00
ps3flash.c wrappers for ->i_mutex access 2016-01-22 18:04:28 -05:00
random.c lib/uuid.c: move generate_random_uuid() to uuid.c 2016-05-20 17:58:30 -07:00
raw.c drivers: char: raw: Removed unnecessary braces 2016-02-08 14:57:30 -08:00
rtc.c various char drivers: remove deprecated IRQF_DISABLED 2013-10-16 12:36:10 -07:00
scx200_gpio.c
snsc_event.c various char drivers: remove deprecated IRQF_DISABLED 2013-10-16 12:36:10 -07:00
snsc.c drivers/char: make SGI snsc.c driver explicitly non-modular 2015-09-20 19:32:35 -07:00
snsc.h
sonypi.c char: drop owner assignment from platform_drivers 2014-10-20 16:20:19 +02:00
tb0219.c char: drop owner assignment from platform_drivers 2014-10-20 16:20:19 +02:00
tile-srom.c fs: move struct kiocb to fs.h 2015-03-25 20:28:11 -04:00
tlclk.c tlclk: remove deprecated IRQF_DISABLED 2013-10-16 12:36:10 -07:00
toshiba.c toshiba laptop: replace ioremap_cache with ioremap 2015-08-05 17:26:00 -07:00
ttyprintk.c char: constify tty_port_operations structs 2016-02-06 23:31:08 -08:00
uv_mmtimer.c
virtio_console.c virtio_console: silence a static checker warning 2015-05-24 12:24:35 -07:00