KASAN report null-ptr-deref as follows:
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:ipmi_unregister_smi+0x7d/0xd50 drivers/char/ipmi/ipmi_msghandler.c:3680
Call Trace:
ipmi_ipmb_remove+0x138/0x1a0 drivers/char/ipmi/ipmi_ipmb.c:443
ipmi_ipmb_probe+0x409/0xda1 drivers/char/ipmi/ipmi_ipmb.c:548
i2c_device_probe+0x959/0xac0 drivers/i2c/i2c-core-base.c:563
really_probe+0x3f3/0xa70 drivers/base/dd.c:541
In ipmi_ipmb_probe(), 'iidev->intf' is not set before
ipmi_register_smi() success. And in the error handling case,
ipmi_ipmb_remove() is called to release resources, ipmi_unregister_smi()
is called without check 'iidev->intf', this will cause KASAN
null-ptr-deref issue.
General kernel style is to allow NULL to be passed into unregister
calls, so fix it that way. This allows a NULL check to be removed in
other code.
Fixes: 57c9e3c9a3 ("ipmi:ipmi_ipmb: Unregister the SMI on remove")
Reported-by: Hulk Robot <hulkci@huawei.com>
Cc: stable@vger.kernel.org # v5.17+
Cc: Wei Yongjun <weiyongjun1@huawei.com>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
coccicheck complains about the use of snprintf() in sysfs show
functions:
WARNING use scnprintf or sprintf
Use sysfs_emit instead of scnprintf, snprintf or sprintf makes more
sense.
Reported-by: Zeal Robot <zealci@zte.com.cn>
Signed-off-by: Ye Guojin <ye.guojin@zte.com.cn>
Message-Id: <20211021110608.1060260-1-ye.guojin@zte.com.cn>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Nothing bug, but probably needs to go in.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEE/Q1c5nzg9ZpmiCaGYfOMkJGb/4EFAmE6eAgACgkQYfOMkJGb
/4F1GA/+JnhnEtTOfnZktOfCMH2KecJtshGWG8s8no8dx1TqZWQZHIrVOKwOTqfG
YKUBWBZ7ip4yqPMzsWX2JztTE5njmmby6K3nOrrt0GNThv6i9m3NTF5a249sYdXh
JjWCwcasRQw/yEFCHSWh7/k9YztdxaZEo+HBGxYL0AC7QEqIe8kiqmXD+UpfxHVu
053NiIAe1Owg/b3mvebGzP6iKP3/nvrrdcBzL7mCCq4Vln/GEOUwIlLqRYBwcFyZ
+ssyGyV18BhOLP2pF/i+FttyUvB/k/ypdHy0ODxdy0DnYpZ0m+r/DjLk2PGyiPMI
1JZO5tyGHuzQHkhwl0dvB5C9c6WQVSxAIlUCHhYXjFibi2RrU1CpwoYulnAUPIKu
ppuoiNpZ3s81m6i1SB3t3yDeQGfZ2OYWosCGjd4uO6NNlpXGUd8yqOeWgBl8F3QD
E6xNQQF3aKwvySL+MGMLnIIxzMaYOj+H/4/CefRYPi+vxwF+YVi2PAwDtdRuVc/z
to0eowHSTHWlTSY34sHMXZL9omqPwlIyIuZpgCVJicx0UIEdCfY3qQeZWWDC0uoQ
FfWMkYrUJQyxOnJlsgWIpaX7EhHmUoUxYW1QhvyiZ8Ez7gc0dYFAfUgq56TXPVNp
9WOirJR0lHKBovljMlcBbtlNW7qBww8Z8YbRQrfrZ4OHx1U2xj0=
=BmmZ
-----END PGP SIGNATURE-----
Merge tag 'for-linus-5.15-1' of git://github.com/cminyard/linux-ipmi
Pull IPMI updates from Corey Minyard:
"A couple of very minor fixes for style and rate limiting.
Nothing big, but probably needs to go in"
* tag 'for-linus-5.15-1' of git://github.com/cminyard/linux-ipmi:
char: ipmi: use DEVICE_ATTR helper macro
ipmi: rate limit ipmi smi_event failure message
The caller of this function (parisc_driver_remove() in
arch/parisc/kernel/drivers.c) ignores the return value, so better don't
return any value at all to not wake wrong expectations in driver authors.
The only function that could return a non-zero value before was
ipmi_parisc_remove() which returns the return value of
ipmi_si_remove_by_dev(). Make this function return void, too, as for all
other callers the value is ignored, too.
Also fold in a small checkpatch fix for:
WARNING: Unnecessary space before function pointer arguments
+ void (*remove) (struct parisc_device *dev);
Acked-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> (for drivers/input)
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Acked-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Acked-by: Jiri Slaby <jirislaby@kernel.org>
Signed-off-by: Helge Deller <deller@gmx.de>
Instead of open coding DEVICE_ATTR, use the helper macro
DEVICE_ATTR_RO to replace DEVICE_ATTR with 0444 octal
permissions.
This was detected as a part of checkpatch evaluation
investigating all reports of DEVICE_ATTR_RO warning
type.
Signed-off-by: Dwaipayan Ray <dwaipayanray1@gmail.com>
Message-Id: <20210730062951.84876-1-dwaipayanray1@gmail.com>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Sometimes we can't get a valid si_sm_data, and we print an error
message accordingly. But the ipmi module seem to like retrying a lot,
in which case we flood the kernel log with a lot of messages, eg:
[46318019.164726] ipmi_si IPI0001:00: Could not set the global enables: 0xc1.
[46318020.109700] ipmi_si IPI0001:00: Could not set the global enables: 0xc1.
[46318021.158677] ipmi_si IPI0001:00: Could not set the global enables: 0xc1.
[46318022.212598] ipmi_si IPI0001:00: Could not set the global enables: 0xc1.
[46318023.258564] ipmi_si IPI0001:00: Could not set the global enables: 0xc1.
[46318024.210455] ipmi_si IPI0001:00: Could not set the global enables: 0xc1.
[46318025.260473] ipmi_si IPI0001:00: Could not set the global enables: 0xc1.
[46318026.308445] ipmi_si IPI0001:00: Could not set the global enables: 0xc1.
[46318027.356389] ipmi_si IPI0001:00: Could not set the global enables: 0xc1.
[46318028.298288] ipmi_si IPI0001:00: Could not set the global enables: 0xc1.
[46318029.363302] ipmi_si IPI0001:00: Could not set the global enables: 0xc1.
Signed-off-by: Wen Yang <wenyang@linux.alibaba.com>
Cc: Baoyou Xie <baoyou.xie@alibaba-inc.com>
Cc: Corey Minyard <minyard@acm.org>
Cc: openipmi-developer@lists.sourceforge.net
Cc: linux-kernel@vger.kernel.org
Message-Id: <20210729093228.77098-1-wenyang@linux.alibaba.com>
[Added a missing comma]
Signed-off-by: Corey Minyard <cminyard@mvista.com>
For easy grepping on debug purposes join string literals back in
the messages.
No functional change.
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Message-Id: <20210402174334.13466-11-andriy.shevchenko@linux.intel.com>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
The ->addr_source_cleanup() callback is solely used by PCI driver
and only for one purpose, i.e. to disable device. Get rid of
->addr_source_cleanup() by switching to PCI managed API.
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Message-Id: <20210402174334.13466-8-andriy.shevchenko@linux.intel.com>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Instead of making the comparison one by one, reuse si_to_str[] array
in ipmi_hardcode_init_one() in conjunction with match_string() API.
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Message-Id: <20210402174334.13466-7-andriy.shevchenko@linux.intel.com>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Rarely but still failures are observed while getting BMC device ID
so this commit changes the condition to retry to get device id
when cc is not IPMI_CC_NO_ERROR.
Signed-off-by: Terry Duncan <terry.s.duncan@intel.com>
Signed-off-by: Jae Hyun Yoo <jae.hyun.yoo@linux.intel.com>
Message-Id: <20210225045027.9344-1-jae.hyun.yoo@linux.intel.com>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
On an error exit path, a negative error code should be returned
instead of a positive return value.
Fixes: 90b2d4f15f ("ipmi_si: Remove hacks for adding a dummy platform devices")
Cc: Corey Minyard <cminyard@mvista.com>
Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
Message-Id: <20201005145212.84435-1-tianjia.zhang@linux.alibaba.com>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
The type for the completion codes should be unsigned char instead of
char. If it is declared as a normal char then the conditions in
__get_device_id() are impossible because the IPMI_DEVICE_IN_FW_UPDATE_ERR
error codes are higher than 127.
drivers/char/ipmi/ipmi_msghandler.c:2449 __get_device_id()
warn: impossible condition '(bmc->cc == 209) => ((-128)-127 == 209)'
Fixes: f8910ffa81 ("ipmi:msghandler: retry to get device id on an error")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Message-Id: <20200918142756.GB909725@mwanda>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Use a retry machanism to give the BMC more opportunities to correctly
respond when we receive specific completion codes.
This is similar to what is done in __get_device_id().
Signed-off-by: Xianting Tian <tian.xianting@h3c.com>
Message-Id: <20200916062129.26129-1-tian.xianting@h3c.com>
[Moved GET_DEVICE_ID_MAX_RETRY to include/linux/ipmi.h, reworded some
text.]
Signed-off-by: Corey Minyard <cminyard@mvista.com>
'struct timespec' is getting removed from the kernel. The usage in ipmi
was fixed before in commit 48862ea2ce ("ipmi: Update timespec usage
to timespec64"), but unfortunately it crept back in.
The busy looping code can better use ktime_t anyway, so use that
there to simplify the implementation.
Fixes: cbb19cb1ee ("ipmi_si: Convert timespec64 to timespec")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Message-Id: <20191108203435.112759-5-arnd@arndb.de>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
smi_mod_timer() enables the timer before setting timer_running. This
means the timer can be running when we get to stop_timer_and_thread()
without timer_running having been set, resulting in del_timer_sync()
not being called and the timer being left to cause havoc during
shutdown.
Instead just call del_timer_sync() unconditionally
Signed-off-by: Jes Sorensen <jsorensen@fb.com>
Message-Id: <20190828203625.32093-2-Jes.Sorensen@gmail.com>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
ipmi_thread() uses back-to-back schedule() to poll for command
completion which, on some machines, can push up CPU consumption and
heavily tax the scheduler locks leading to noticeable overall
performance degradation.
This was originally added so firmware updates through IPMI would
complete in a timely manner. But we can't kill the scheduler
locks for that one use case.
Instead, only run schedule() continuously in maintenance mode,
where firmware updates should run.
Signed-off-by: Corey Minyard <cminyard@mvista.com>
ipmi_si_sm.h was getting included in lots of places it didn't
belong. Rework things a bit to remove all the dependencies,
mostly just moving things between include files that were in
the wrong place and removing bogus includes.
Signed-off-by: Corey Minyard <cminyard@mvista.com>
There is no need for timespec64, and it will cause issues in the
future with i386 and 64-bit division not being available.
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Cover 'int' to 'bool' type for initialized variable.
Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com>
Message-Id: <20190517101245.4341-2-wangkefeng.wang@huawei.com>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
The "init_name" variable isn't used any more after commit 90b2d4f15f
("ipmi_si: Remove hacks for adding a dummy platform devices").
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Message-Id: <20190322065426.GB12551@kadam>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
When a hotmod-added device is removed or when the module is removed,
remove the platform devices that was created for it.
Signed-off-by: Corey Minyard <cminyard@mvista.com>
When excuting a command like:
modprobe ipmi_si ports=0xffc0e3 type=bt
The system would get an oops.
The trouble here is that ipmi_si_hardcode_find_bmc() is called before
ipmi_si_platform_init(), but initialization of the hard-coded device
creates an IPMI platform device, which won't be initialized yet.
The real trouble is that hard-coded devices aren't created with
any device, and the fixup is done later. So do it right, create the
hard-coded devices as normal platform devices.
This required adding some new resource types to the IPMI platform
code for passing information required by the hard-coded device
and adding some code to remove the hard-coded platform devices
on module removal.
To enforce the "hard-coded devices passed by the user take priority
over firmware devices" rule, some special code was added to check
and see if a hard-coded device already exists.
Reported-by: Yang Yingliang <yangyingliang@huawei.com>
Cc: stable@vger.kernel.org # v4.15+
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Tested-by: Yang Yingliang <yangyingliang@huawei.com>
The code to tell the lower layer to enable or disable watching for
certain things was lazy in disabling, it waited until a timer tick
to see if a disable was necessary. Not a really big deal, but it
could be improved.
Modify the code to enable and disable watching immediately and don't
do it from the background timer any more.
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Tested-by: Kamlakant Patel <kamlakant.patel@cavium.com>
The IPMI driver has a mechanism to tell the lower layers it needs
to watch for messages, commands, and watchdogs (so it doesn't
needlessly poll). However, it needed some extensions, it needed
a way to tell what is being waited for so it could set the timeout
appropriately.
The update to the lower layer was also being done once a second
at best because it was done in the main timeout handler. However,
if a command is sent and a response message is coming back,
it needed to be started immediately. So modify the code to
update immediately if it needs to be enabled. Disable is still
lazy.
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Tested-by: Kamlakant Patel <kamlakant.patel@cavium.com>
Now that synchronize_rcu() waits for preempt-disable regions of code
as well as RCU read-side critical sections, synchronize_sched() can be
replaced by synchronize_rcu(). This commit therefore makes this change.
Signed-off-by: Paul E. McKenney <paulmck@linux.ibm.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: <openipmi-developer@lists.sourceforge.net>
Acked-by: Corey Minyard <cminyard@mvista.com>
getnstimeofday64() is deprecated because of the inconsistent naming,
it is only a wrapper around ktime_get_real_ts64() now, which could be
used as a direct replacement.
However, it is generally better to use CLOCK_MONOTONIC timestamps
where possible, to avoid glitches with a concurrent settimeofday()
or leap second.
The uses in ipmi are either for debugging prints or for comparing against
a prior timestamp, so using a monotonic ktime_get_ts64() is probably
best here.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Add and use #define pr_fmt/dev_fmt, and remove #define PFX
This also prefixes some messages that were not previously prefixed.
Miscellanea:
o Convert printk(KERN_<level> to pr_<level>(
o Use %s, __func__ where appropriate
Signed-off-by: Joe Perches <joe@perches.com>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
There were certain situations where ipmi_register_smi() would
return a failure, but the interface would still be registered
and would need to be unregistered. This is obviously a bad
design and resulted in an oops in certain failure cases.
If the interface is started up in ipmi_register_smi(), then
an error occurs, shut down the interface there so the
cleanup can be done properly.
Fix the various smi users, too.
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Reported-by: Justin Ernst <justin.ernst@hpe.com>
Tested-by: Justin Ernst <justin.ernst@hpe.com>
Cc: Andrew Banman <abanman@hpe.com>
Cc: Russ Anderson <russ.anderson@hpe.com>
Cc: <stable@vger.kernel.org> # 4.18.x
Commit 93c303d204 "ipmi_si: Clean up shutdown a bit" didn't
copy the behavior of the cleanup in one spot, it needed to
check for a non-NULL interface before cleaning it up.
Reported-by: Meelis Roos <mroos@linux.ee>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Tested-by: Meelis Roos <mroos@linux.ee>
There is already an intf_num in the main IPMI device structure, use
a different name in the ipmi_si code to avoid confusion.
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Due to changes in the way shutdown is done, it is no longer
required to check that the interface is set.
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Move the shutdown handling to a shutdown function called from
the IPMI core code. That makes for a cleaner shutdown.
Signed-off-by: Corey Minyard <cminyard@mvista.com>
If platform_device_alloc() then we should return -ENOMEM instead of
returning success.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
The cleanup code for an init failure and for a device removal were
quite similar, consolidate all that into one function.
Signed-off-by: Corey Minyard <cminyard@mvista.com>
device_remove_group() was called on any cleanup, even if the
device attrs had not been added yet. That can occur in certain
error scenarios, so add a flag to know if it has been added.
Also make sure we remove the dev if we added it ourselves.
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Cc: stable@vger.kernel.org # 4.15
Cc: Laura Abbott <labbott@redhat.com>
Tested-by: Bill Perkins <wmp@grnwood.net>
And get rid of the license text that is no longer necessary.
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Alistair Popple <alistair@popple.id.au>
Cc: Jeremy Kerr <jk@ozlabs.org>
Cc: Joel Stanley <joel@jms.id.au>
Cc: Rocky Craig <rocky.craig@hp.com>
During code inspection, I found an use-after-free possibility during unloading
ipmi_si in the polling mode.
If start_new_msg() is called after kthread_stop(), the function will try to
wake up non-existing kthread using the dangling pointer.
Possible scenario is when a new internal message is generated after
ipmi_unregister_smi()[*1] and remains after stop_timer_and_thread()
in clenaup_one_si() [*2].
Use-after-free could occur as follows depending on BMC replies.
cleanup_one_si
=> ipmi_unregister_smi
[*1]
=> stop_timer_and_thread
=> kthread_stop(smi_info->thread)
[*2]
=> poll
=> smi_event_handler
=> start_new_msg
=> if (smi_info->thread)
wake_up_process(smi_info->thread) <== use-after-free!!
Although currently it seems no such message is generated in the polling mode,
some changes might introduce that in thefuture. For example in the interrupt
mode, disable_si_irq() does that at [*2].
So let's prevent such a critical issue possibility now.
Signed-off-by: Yamazaki Masamitsu <m-yamazaki@ah.jp.nec.com>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Corey Minyard