• Junichi Nomura's avatar
    ipmi: Remove smi_msg from waiting_rcv_msgs list before handle_one_recv_msg() · de0f9fa7
    Junichi Nomura authored
    commit ae4ea9a2 upstream.
    
    Commit 7ea0ed2b ("ipmi: Make the message handler easier to use for
    SMI interfaces") changed handle_new_recv_msgs() to call handle_one_recv_msg()
    for a smi_msg while the smi_msg is still connected to waiting_rcv_msgs list.
    That could lead to following list corruption problems:
    
    1) low-level function treats smi_msg as not connected to list
    
      handle_one_recv_msg() could end up calling smi_send(), which
      assumes the msg is not connected to list.
    
      For example, the following sequence could corrupt list by
      doing list_add_tail() for the entry still connected to other list.
    
        handle_new_recv_msgs()
          msg = list_entry(waiting_rcv_msgs)
          handle_one_recv_msg(msg)
            handle_ipmb_get_msg_cmd(msg)
              smi_send(msg)
                spin_lock(xmit_msgs_lock)
                list_add_tail(msg)
                spin_unlock(xmit_msgs_lock)
    
    2) race between multiple handle_new_recv_msgs() instances
    
      handle_new_recv_msgs() once releases waiting_rcv_msgs_lock before calling
      handle_one_recv_msg() then retakes the lock and list_del() it.
    
      If others call handle_new_recv_msgs() during the window shown below
      list_del() will be done twice for the same smi_msg.
    
      handle_new_recv_msgs()
        spin_lock(waiting_rcv_msgs_lock)
        msg = list_entry(waiting_rcv_msgs)
        spin_unlock(waiting_rcv_msgs_lock)
      |
      | handle_one_recv_msg(msg)
      |
        spin_lock(waiting_rcv_msgs_lock)
        list_del(msg)
        spin_unlock(waiting_rcv_msgs_lock)
    
    Fixes: 7ea0ed2b ("ipmi: Make the message handler easier to use for SMI interfaces")
    Signed-off-by: default avatarJun'ichi Nomura <j-nomura@ce.jp.nec.com>
    [Added a comment to describe why this works.]
    Signed-off-by: default avatarCorey Minyard <cminyard@mvista.com>
    Tested-by: default avatarYe Feng <yefeng.yl@alibaba-inc.com>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    de0f9fa7
ipmi_msghandler.c 118 KB