From 180153efd3cf17b05520931d98899f38de3fbb0e Mon Sep 17 00:00:00 2001 From: Wei Yongjun Date: Fri, 3 Nov 2017 09:52:45 +0000 Subject: ipmi_si_platform: Fix typo in parameter description Fix typo in parameter description. Fixes: 95e300c052fd ("ipmi: Make the DMI probe into a generic platform probe") Signed-off-by: Wei Yongjun Signed-off-by: Corey Minyard --- drivers/char/ipmi/ipmi_si_platform.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/char/ipmi/ipmi_si_platform.c b/drivers/char/ipmi/ipmi_si_platform.c index 9573f1116450..f4214870d726 100644 --- a/drivers/char/ipmi/ipmi_si_platform.c +++ b/drivers/char/ipmi/ipmi_si_platform.c @@ -40,7 +40,7 @@ MODULE_PARM_DESC(tryacpi, "Setting this to zero will disable the" #endif #ifdef CONFIG_OF module_param_named(tryopenfirmware, si_tryopenfirmware, bool, 0); -MODULE_PARM_DESC(tryacpi, "Setting this to zero will disable the" +MODULE_PARM_DESC(tryopenfirmware, "Setting this to zero will disable the" " default scan of the interfaces identified via OpenFirmware"); #endif #ifdef CONFIG_DMI -- cgit From 7195a5a6dad92441e3b38e03c44590597da743b7 Mon Sep 17 00:00:00 2001 From: Wei Yongjun Date: Fri, 3 Nov 2017 09:52:28 +0000 Subject: ipmi watchdog: fix typo in parameter description Fix typo in parameter description. Signed-off-by: Wei Yongjun Signed-off-by: Corey Minyard --- drivers/char/ipmi/ipmi_watchdog.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/char/ipmi/ipmi_watchdog.c b/drivers/char/ipmi/ipmi_watchdog.c index 76b270678b50..09e8463e480f 100644 --- a/drivers/char/ipmi/ipmi_watchdog.c +++ b/drivers/char/ipmi/ipmi_watchdog.c @@ -298,7 +298,7 @@ module_param(pretimeout, timeout, 0644); MODULE_PARM_DESC(pretimeout, "Pretimeout value in seconds."); module_param(panic_wdt_timeout, timeout, 0644); -MODULE_PARM_DESC(timeout, "Timeout value on kernel panic in seconds."); +MODULE_PARM_DESC(panic_wdt_timeout, "Timeout value on kernel panic in seconds."); module_param_cb(action, ¶m_ops_str, action_op, 0644); MODULE_PARM_DESC(action, "Timeout action. One of: " -- cgit From 174134ac760275457bb0d1560a0dbe6cf8a12ad6 Mon Sep 17 00:00:00 2001 From: Corey Minyard Date: Mon, 27 Nov 2017 08:18:33 -0600 Subject: ipmi_si: Fix error handling of platform device Cleanup of platform devices created by the IPMI driver was not being done correctly and could result in a memory leak. So create a local boolean to know how to clean up those platform devices. Reported-by: David Binderman Signed-off-by: Corey Minyard --- drivers/char/ipmi/ipmi_si_intf.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/drivers/char/ipmi/ipmi_si_intf.c b/drivers/char/ipmi/ipmi_si_intf.c index 71fad747c0c7..7499b0cd8326 100644 --- a/drivers/char/ipmi/ipmi_si_intf.c +++ b/drivers/char/ipmi/ipmi_si_intf.c @@ -2045,6 +2045,7 @@ static int try_smi_init(struct smi_info *new_smi) int rv = 0; int i; char *init_name = NULL; + bool platform_device_registered = false; pr_info(PFX "Trying %s-specified %s state machine at %s address 0x%lx, slave address 0x%x, irq %d\n", ipmi_addr_src_to_str(new_smi->io.addr_source), @@ -2173,6 +2174,7 @@ static int try_smi_init(struct smi_info *new_smi) rv); goto out_err; } + platform_device_registered = true; } dev_set_drvdata(new_smi->io.dev, new_smi); @@ -2279,10 +2281,11 @@ out_err: } if (new_smi->pdev) { - platform_device_unregister(new_smi->pdev); + if (platform_device_registered) + platform_device_unregister(new_smi->pdev); + else + platform_device_put(new_smi->pdev); new_smi->pdev = NULL; - } else if (new_smi->pdev) { - platform_device_put(new_smi->pdev); } kfree(init_name); -- cgit From 1b4254cee0643ae624d33481b5107b790ae581b9 Mon Sep 17 00:00:00 2001 From: Xiongfeng Wang Date: Mon, 8 Jan 2018 20:01:32 +0800 Subject: ipmi: use correct string length gcc-8 reports drivers/char/ipmi/ipmi_msghandler.c: In function 'panic_op_write_handler': ./include/linux/string.h:245:9: warning: '__builtin_strncpy' specified bound 16 equals destination size [-Wstringop-truncation] drivers/char/ipmi/ipmi_watchdog.c: In function 'set_param_str': ./include/linux/string.h:245:9: warning: '__builtin_strncpy' specified bound 16 equals destination size [-Wstringop-truncation] We need one less byte or call strlcpy() to make it a nul-terminated string. Signed-off-by: Xiongfeng Wang Signed-off-by: Corey Minyard --- drivers/char/ipmi/ipmi_msghandler.c | 2 +- drivers/char/ipmi/ipmi_watchdog.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c index f45732a2cb3e..01fbffb3168e 100644 --- a/drivers/char/ipmi/ipmi_msghandler.c +++ b/drivers/char/ipmi/ipmi_msghandler.c @@ -84,7 +84,7 @@ static int panic_op_write_handler(const char *val, char valcp[16]; char *s; - strncpy(valcp, val, 16); + strncpy(valcp, val, 15); valcp[15] = '\0'; s = strstrip(valcp); diff --git a/drivers/char/ipmi/ipmi_watchdog.c b/drivers/char/ipmi/ipmi_watchdog.c index 09e8463e480f..775887977cbc 100644 --- a/drivers/char/ipmi/ipmi_watchdog.c +++ b/drivers/char/ipmi/ipmi_watchdog.c @@ -232,7 +232,7 @@ static int set_param_str(const char *val, const struct kernel_param *kp) char valcp[16]; char *s; - strncpy(valcp, val, 16); + strncpy(valcp, val, 15); valcp[15] = '\0'; s = strstrip(valcp); -- cgit From bd1c06a4f5e2b2c96b9ff09a13983efb2d013b18 Mon Sep 17 00:00:00 2001 From: Masamitsu Yamazaki Date: Mon, 15 Jan 2018 07:58:12 +0000 Subject: ipmi: Clear smi_info->thread to prevent use-after-free during module unload During code inspection, I found an use-after-free possibility during unloading ipmi_si in the polling mode. If start_new_msg() is called after kthread_stop(), the function will try to wake up non-existing kthread using the dangling pointer. Possible scenario is when a new internal message is generated after ipmi_unregister_smi()[*1] and remains after stop_timer_and_thread() in clenaup_one_si() [*2]. Use-after-free could occur as follows depending on BMC replies. cleanup_one_si => ipmi_unregister_smi [*1] => stop_timer_and_thread => kthread_stop(smi_info->thread) [*2] => poll => smi_event_handler => start_new_msg => if (smi_info->thread) wake_up_process(smi_info->thread) <== use-after-free!! Although currently it seems no such message is generated in the polling mode, some changes might introduce that in thefuture. For example in the interrupt mode, disable_si_irq() does that at [*2]. So let's prevent such a critical issue possibility now. Signed-off-by: Yamazaki Masamitsu Signed-off-by: Corey Minyard --- drivers/char/ipmi/ipmi_si_intf.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/char/ipmi/ipmi_si_intf.c b/drivers/char/ipmi/ipmi_si_intf.c index 7499b0cd8326..6768cb2dd740 100644 --- a/drivers/char/ipmi/ipmi_si_intf.c +++ b/drivers/char/ipmi/ipmi_si_intf.c @@ -1938,8 +1938,10 @@ static void check_for_broken_irqs(struct smi_info *smi_info) static inline void stop_timer_and_thread(struct smi_info *smi_info) { - if (smi_info->thread != NULL) + if (smi_info->thread != NULL) { kthread_stop(smi_info->thread); + smi_info->thread = NULL; + } smi_info->timer_can_start = false; if (smi_info->timer_running) -- cgit From 37c46ca6ee41ba9b780c8d0ef35859dc214cd4a0 Mon Sep 17 00:00:00 2001 From: Jeremy Kerr Date: Tue, 16 Jan 2018 15:21:27 -0600 Subject: ipmi/ipmi_powernv: remove outdated todo in powernv IPMI driver Since the IPMI core now queries device IDs dynamically, we no longer need this todo for implementing this in the powernv driver. Signed-off-by: Jeremy Kerr Signed-off-by: Corey Minyard --- drivers/char/ipmi/ipmi_powernv.c | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/char/ipmi/ipmi_powernv.c b/drivers/char/ipmi/ipmi_powernv.c index 07fddbefefe4..c687c8d57c92 100644 --- a/drivers/char/ipmi/ipmi_powernv.c +++ b/drivers/char/ipmi/ipmi_powernv.c @@ -264,7 +264,6 @@ static int ipmi_powernv_probe(struct platform_device *pdev) goto err_unregister; } - /* todo: query actual ipmi_device_id */ rc = ipmi_register_smi(&ipmi_powernv_smi_handlers, ipmi, dev, 0); if (rc) { dev_warn(dev, "IPMI SMI registration failed (%d)\n", rc); -- cgit From 5516e21a1e95e9b9f39985598431a25477d91643 Mon Sep 17 00:00:00 2001 From: John Garry Date: Thu, 18 Jan 2018 00:36:57 +0800 Subject: ipmi: use dynamic memory for DMI driver override Currently a crash can be seen if we reach the "err" label in dmi_add_platform_ipmi(), calling platform_device_put(), like here: [ 7.270584] (null): ipmi:dmi: Unable to add resources: -16 [ 7.330229] ------------[ cut here ]------------ [ 7.334889] kernel BUG at mm/slub.c:3894! [ 7.338936] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP [ 7.344475] Modules linked in: [ 7.347556] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 4.15.0-rc2-00004-gbe9cb7b-dirty #114 [ 7.355907] Hardware name: Huawei Taishan 2280 /D05, BIOS Hisilicon D05 IT17 Nemo 2.0 RC0 11/29/2017 [ 7.365137] task: 00000000c211f6d3 task.stack: 00000000f276e9af [ 7.371116] pstate: 60000005 (nZCv daif -PAN -UAO) [ 7.375957] pc : kfree+0x194/0x1b4 [ 7.379389] lr : platform_device_release+0xcc/0xd8 [ 7.384225] sp : ffff0000092dba90 [ 7.387567] x29: ffff0000092dba90 x28: ffff000008a83000 [ 7.392933] x27: ffff0000092dbc10 x26: 00000000000000e6 [ 7.398297] x25: 0000000000000003 x24: ffff0000085b51e8 [ 7.403662] x23: 0000000000000100 x22: ffff7e0000234cc0 [ 7.409027] x21: ffff000008af3660 x20: ffff8017d21acc10 [ 7.414392] x19: ffff8017d21acc00 x18: 0000000000000002 [ 7.419757] x17: 0000000000000001 x16: 0000000000000008 [ 7.425121] x15: 0000000000000001 x14: 6666666678303d65 [ 7.430486] x13: 6469727265766f5f x12: 7265766972642e76 [ 7.435850] x11: 6564703e2d617020 x10: 6530326435373638 [ 7.441215] x9 : 3030303030303030 x8 : 3d76656420657361 [ 7.446580] x7 : ffff000008f59df8 x6 : ffff8017fbe0ea50 [ 7.451945] x5 : 0000000000000000 x4 : 0000000000000000 [ 7.457309] x3 : ffffffffffffffff x2 : 0000000000000000 [ 7.462674] x1 : 0fffc00000000800 x0 : ffff7e0000234ce0 [ 7.468039] Process swapper/0 (pid: 1, stack limit = 0x00000000f276e9af) [ 7.474809] Call trace: [ 7.477272] kfree+0x194/0x1b4 [ 7.480351] platform_device_release+0xcc/0xd8 [ 7.484837] device_release+0x34/0x90 [ 7.488531] kobject_put+0x70/0xcc [ 7.491961] put_device+0x14/0x1c [ 7.495304] platform_device_put+0x14/0x1c [ 7.499439] dmi_add_platform_ipmi+0x348/0x3ac [ 7.503923] scan_for_dmi_ipmi+0xfc/0x10c [ 7.507970] do_one_initcall+0x38/0x124 [ 7.511840] kernel_init_freeable+0x188/0x228 [ 7.516238] kernel_init+0x10/0x100 [ 7.519756] ret_from_fork+0x10/0x18 [ 7.523362] Code: f94002c0 37780080 f94012c0 37000040 (d4210000) [ 7.529552] ---[ end trace 11750e4787deef9e ]--- [ 7.534228] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b [ 7.534228] This is because when the device is released in platform_device_release(), we try to free pdev.driver_override. This is a const string, hence the crash. Fix by using dynamic memory for pdev->driver_override. Signed-off-by: John Garry [Removed the free of driver_override from ipmi_si_remove_by_dev(). The free is done in platform_device_release(), and would result in a double free, and ipmi_si_remove_by_dev() is called by non-platform devices.] Signed-off-by: Corey Minyard Cc: # 4.14+ --- drivers/char/ipmi/ipmi_dmi.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/char/ipmi/ipmi_dmi.c b/drivers/char/ipmi/ipmi_dmi.c index ab78b3be7e33..c5112b17d7ea 100644 --- a/drivers/char/ipmi/ipmi_dmi.c +++ b/drivers/char/ipmi/ipmi_dmi.c @@ -106,7 +106,10 @@ static void __init dmi_add_platform_ipmi(unsigned long base_addr, pr_err("ipmi:dmi: Error allocation IPMI platform device\n"); return; } - pdev->driver_override = override; + pdev->driver_override = kasprintf(GFP_KERNEL, "%s", + override); + if (!pdev->driver_override) + goto err; if (type == IPMI_DMI_TYPE_SSIF) { set_prop_entry(p[pidx++], "i2c-addr", u16, base_addr); -- cgit From e749d328b0b450aa78d562fa26a0cd8872325dd9 Mon Sep 17 00:00:00 2001 From: Wei Yongjun Date: Thu, 18 Jan 2018 01:43:19 +0000 Subject: ipmi/powernv: Fix error return code in ipmi_powernv_probe() Fix to return a negative error code from the request_irq() error handling case instead of 0, as done elsewhere in this function. Fixes: dce143c3381c ("ipmi/powernv: Convert to irq event interface") Signed-off-by: Wei Yongjun Reviewed-by: Alexey Kardashevskiy Signed-off-by: Corey Minyard --- drivers/char/ipmi/ipmi_powernv.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/char/ipmi/ipmi_powernv.c b/drivers/char/ipmi/ipmi_powernv.c index c687c8d57c92..bcf493d8e238 100644 --- a/drivers/char/ipmi/ipmi_powernv.c +++ b/drivers/char/ipmi/ipmi_powernv.c @@ -250,8 +250,9 @@ static int ipmi_powernv_probe(struct platform_device *pdev) ipmi->irq = opal_event_request(prop); } - if (request_irq(ipmi->irq, ipmi_opal_event, IRQ_TYPE_LEVEL_HIGH, - "opal-ipmi", ipmi)) { + rc = request_irq(ipmi->irq, ipmi_opal_event, IRQ_TYPE_LEVEL_HIGH, + "opal-ipmi", ipmi); + if (rc) { dev_warn(dev, "Unable to request irq\n"); goto err_dispose; } -- cgit From e45af3d372f1d4339663dcbef28665f5b15d448c Mon Sep 17 00:00:00 2001 From: Andy Shevchenko Date: Tue, 31 Oct 2017 16:21:38 +0200 Subject: ipmi_ssif: Remove duplicate NULL check Since i2c_unregister_device() became NULL-aware we may remove duplicate NULL check. Cc: Corey Minyard Cc: openipmi-developer@lists.sourceforge.net Signed-off-by: Andy Shevchenko Signed-off-by: Corey Minyard --- drivers/char/ipmi/ipmi_ssif.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/char/ipmi/ipmi_ssif.c b/drivers/char/ipmi/ipmi_ssif.c index 3cfaec728604..f929e72bdac8 100644 --- a/drivers/char/ipmi/ipmi_ssif.c +++ b/drivers/char/ipmi/ipmi_ssif.c @@ -2071,8 +2071,7 @@ static int ssif_platform_remove(struct platform_device *dev) return 0; mutex_lock(&ssif_infos_mutex); - if (addr_info->client) - i2c_unregister_device(addr_info->client); + i2c_unregister_device(addr_info->client); list_del(&addr_info->link); kfree(addr_info); -- cgit