From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752010AbbG0GGn (ORCPT ); Mon, 27 Jul 2015 02:06:43 -0400 Received: from mail7.hitachi.co.jp ([133.145.228.42]:47743 "EHLO mail7.hitachi.co.jp" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751580AbbG0GGj (ORCPT ); Mon, 27 Jul 2015 02:06:39 -0400 X-AuditID: 85900ec0-9ebcbb9000001a57-5e-55b5ca3590eb X-Mailbox-Line: From nobody Mon Jul 27 14:55:16 2015 Subject: [PATCH 4/7] ipmi: Avoid touching possible corrupted lists in the panic context To: Corey Minyard From: Hidehiro Kawai Cc: openipmi-developer@lists.sourceforge.net, linux-kernel@vger.kernel.org Date: Mon, 27 Jul 2015 14:55:16 +0900 Message-ID: <20150727055516.4759.26264.stgit@softrs> In-Reply-To: <20150727055516.4759.34462.stgit@softrs> References: <20150727055516.4759.34462.stgit@softrs> User-Agent: StGit/0.16 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit X-Brightmail-Tracker: AAAAAA== Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org When processing queued messages in the panic context, IPMI driver tries to do it without any locking to avoid deadlocks. However, this means we can touch a corrupted list if the kernel panicked while manipulating the list. Fortunately, current `add-tail and del-from-head' style implementation won't touch the corrupted part, but it is inherently risky. To get rid of the risk, this patch re-initializes the message lists on panic if the related spinlock has already been acquired. As the result, we may lose queued messages, but it's not so painful. Droping messages on the received message list is also less problematic because no one can respond the received messages. Signed-off-by: Hidehiro Kawai --- drivers/char/ipmi/ipmi_msghandler.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c index f1ecd25..e7d84482 100644 --- a/drivers/char/ipmi/ipmi_msghandler.c +++ b/drivers/char/ipmi/ipmi_msghandler.c @@ -4507,6 +4507,23 @@ static int panic_event(struct notifier_block *this, /* Interface is not ready. */ continue; + /* + * If we were interrupted while locking xmit_msgs_lock or + * waiting_rcv_msgs_lock, the corresponding list may be + * corrupted. In this case, drop itmes on the list for + * the safety. + */ + if (!spin_trylock(&intf->xmit_msgs_lock)) { + INIT_LIST_HEAD(&intf->xmit_msgs); + INIT_LIST_HEAD(&intf->hp_xmit_msgs); + } else + spin_unlock(&intf->xmit_msgs_lock); + + if (!spin_trylock(&intf->waiting_rcv_msgs_lock)) + INIT_LIST_HEAD(&intf->waiting_rcv_msgs); + else + spin_unlock(&intf->waiting_rcv_msgs_lock); + intf->run_to_completion = 1; intf->handlers->set_run_to_completion(intf->send_info, 1); }