platform/mihawk: Fix IPMI double-free

Message ID	20200612083047.3895-1-Nichole_Wang@wistron.com
State	Superseded
Headers	show Return-Path: <skiboot-stable-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org> From: nichole <Nichole_Wang@wistron.com> To: <small84206@gmail.com> Date: Fri, 12 Jun 2020 16:30:47 +0800 Message-ID: <20200612083047.3895-1-Nichole_Wang@wistron.com> MIME-Version: 1.0 Subject: [Skiboot-stable] [PATCH] platform/mihawk: Fix IPMI double-free Precedence: list Cc: joy_chu@wistron.com, skiboot-stable@lists.ozlabs.org Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: skiboot-stable-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Skiboot-stable" <skiboot-stable-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>
Series	platform/mihawk: Fix IPMI double-free \| expand platform/mihawk: Fix IPMI double-free

Message ID

20200612083047.3895-1-Nichole_Wang@wistron.com

State

Superseded

Headers

From: nichole <Nichole_Wang@wistron.com>
To: <small84206@gmail.com>
Date: Fri, 12 Jun 2020 16:30:47 +0800
Message-ID: <20200612083047.3895-1-Nichole_Wang@wistron.com>
MIME-Version: 1.0
Subject: [Skiboot-stable] [PATCH] platform/mihawk: Fix IPMI double-free
Precedence: list
Cc: joy_chu@wistron.com, skiboot-stable@lists.ozlabs.org
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: 
 skiboot-stable-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org
Sender: "Skiboot-stable"
 <skiboot-stable-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>

Series

platform/mihawk: Fix IPMI double-free | expand

Commit Message

Nichole Wang June 12, 2020, 8:30 a.m. UTC

The commit 6826095 ("platform/mihawk: support dynamic PCIe slot table")
added the IPMI OEM command to communicate with BMC. We do the
ipmi_free_msg(msg) twice that caused the Fast-reboot fail.

This patch fixes it by removing the IPMI double-free bug to restore
Fast-reboot.

Signed-off-by: nichole <Nichole_Wang@wistron.com>
Cc: skiboot-stable@lists.ozlabs.org # skiboot-6.6.x
Cc: skiboot-stable@lists.ozlabs.org # skiboot-op940.x
Fixes: commit 6826095 ("platform/mihawk: support dynamic PCIe slot table")
---
 platforms/astbmc/mihawk.c | 2 --
 1 file changed, 2 deletions(-)

Comments

Vasant Hegde June 12, 2020, 11:13 a.m. UTC | #1

On 6/12/20 2:00 PM, nichole wrote:
> The commit 6826095 ("platform/mihawk: support dynamic PCIe slot table")
> added the IPMI OEM command to communicate with BMC. We do the
> ipmi_free_msg(msg) twice that caused the Fast-reboot fail.
> 
> This patch fixes it by removing the IPMI double-free bug to restore
> Fast-reboot.
> 
> Signed-off-by: nichole <Nichole_Wang@wistron.com>
> Cc: skiboot-stable@lists.ozlabs.org # skiboot-6.6.x
> Cc: skiboot-stable@lists.ozlabs.org # skiboot-op940.x
> Fixes: commit 6826095 ("platform/mihawk: support dynamic PCIe slot table")
> ---
>   platforms/astbmc/mihawk.c | 2 --
>   1 file changed, 2 deletions(-)
> 
> diff --git a/platforms/astbmc/mihawk.c b/platforms/astbmc/mihawk.c
> index f3669ff..0d5279f 100644
> --- a/platforms/astbmc/mihawk.c
> +++ b/platforms/astbmc/mihawk.c
> @@ -484,7 +484,6 @@ static void mihawk_riser_query_complete(struct ipmi_msg *msg)
>   		prlog(PR_ERR, "Mihawk: IPMI riser query returned error. cmd=0x%02x,"
>   			" netfn=0x%02x, rc=0x%x\n", msg->cmd, msg->netfn, msg->cc);
>   		bmc_query_waiting = false;
> -		ipmi_free_msg(msg);

What if we get response after timeout? We will hit use-after-free right?

I think you should remove `ipmi_free_msg(msg);` from `mihawk_init()` function 
instead of  removing it here.

-Vasant

diff --git a/platforms/astbmc/mihawk.c b/platforms/astbmc/mihawk.c
index f3669ff..0d5279f 100644
--- a/platforms/astbmc/mihawk.c
+++ b/platforms/astbmc/mihawk.c
@@ -484,7 +484,6 @@  static void mihawk_riser_query_complete(struct ipmi_msg *msg)
 		prlog(PR_ERR, "Mihawk: IPMI riser query returned error. cmd=0x%02x,"
 			" netfn=0x%02x, rc=0x%x\n", msg->cmd, msg->netfn, msg->cc);
 		bmc_query_waiting = false;
-		ipmi_free_msg(msg);
 		return;
 	}
 
@@ -496,7 +495,6 @@  static void mihawk_riser_query_complete(struct ipmi_msg *msg)
 	*riser_state = msg->data[0] << 4 | msg->data[1];
 
 	bmc_query_waiting = false;
-	ipmi_free_msg(msg);
 }
 
 static void mihawk_init(void)