diff options
| author | Lv Zheng <lv.zheng@intel.com> | 2013-09-13 01:13:39 -0400 |
|---|---|---|
| committer | Rafael J. Wysocki <rafael.j.wysocki@intel.com> | 2013-09-30 13:46:11 -0400 |
| commit | 5ac557ef4951ea4b131ae45b08434546cb386ac5 (patch) | |
| tree | d8da98834adf86a8debf62e26405694dd69fc2e1 /drivers/acpi/acpi_ipmi.c | |
| parent | 6b68f03f95e3f0aeea0c47799aecb296276a7cd6 (diff) | |
ACPI / IPMI: Fix race caused by the unprotected ACPI IPMI transfers
This patch fixes races caused by unprotected ACPI IPMI transfers.
We can see that the following crashes may occur:
1. There is no tx_msg_lock held for iterating tx_msg_list in
ipmi_flush_tx_msg() while it may be unlinked on failure in
parallel in acpi_ipmi_space_handler() under tx_msg_lock.
2. There is no lock held for freeing tx_msg in acpi_ipmi_space_handler()
while it may be accessed in parallel in ipmi_flush_tx_msg() and
ipmi_msg_handler().
This patch enhances tx_msg_lock to protect all tx_msg accesses to solve
this issue. Then tx_msg_lock is always held around complete() and tx_msg
accesses.
Signed-off-by: Lv Zheng <lv.zheng@intel.com>
Reviewed-by: Huang Ying <ying.huang@intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Diffstat (limited to 'drivers/acpi/acpi_ipmi.c')
| -rw-r--r-- | drivers/acpi/acpi_ipmi.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/drivers/acpi/acpi_ipmi.c b/drivers/acpi/acpi_ipmi.c index 7397135702db..87307baeafab 100644 --- a/drivers/acpi/acpi_ipmi.c +++ b/drivers/acpi/acpi_ipmi.c | |||
| @@ -228,11 +228,14 @@ static void ipmi_flush_tx_msg(struct acpi_ipmi_device *ipmi) | |||
| 228 | struct acpi_ipmi_msg *tx_msg, *temp; | 228 | struct acpi_ipmi_msg *tx_msg, *temp; |
| 229 | int count = HZ / 10; | 229 | int count = HZ / 10; |
| 230 | struct pnp_dev *pnp_dev = ipmi->pnp_dev; | 230 | struct pnp_dev *pnp_dev = ipmi->pnp_dev; |
| 231 | unsigned long flags; | ||
| 231 | 232 | ||
| 233 | spin_lock_irqsave(&ipmi->tx_msg_lock, flags); | ||
| 232 | list_for_each_entry_safe(tx_msg, temp, &ipmi->tx_msg_list, head) { | 234 | list_for_each_entry_safe(tx_msg, temp, &ipmi->tx_msg_list, head) { |
| 233 | /* wake up the sleep thread on the Tx msg */ | 235 | /* wake up the sleep thread on the Tx msg */ |
| 234 | complete(&tx_msg->tx_complete); | 236 | complete(&tx_msg->tx_complete); |
| 235 | } | 237 | } |
| 238 | spin_unlock_irqrestore(&ipmi->tx_msg_lock, flags); | ||
| 236 | 239 | ||
| 237 | /* wait for about 100ms to flush the tx message list */ | 240 | /* wait for about 100ms to flush the tx message list */ |
| 238 | while (count--) { | 241 | while (count--) { |
| @@ -266,11 +269,10 @@ static void ipmi_msg_handler(struct ipmi_recv_msg *msg, void *user_msg_data) | |||
| 266 | } | 269 | } |
| 267 | } | 270 | } |
| 268 | 271 | ||
| 269 | spin_unlock_irqrestore(&ipmi_device->tx_msg_lock, flags); | ||
| 270 | if (!msg_found) { | 272 | if (!msg_found) { |
| 271 | dev_warn(&pnp_dev->dev, "Unexpected response (msg id %ld) is " | 273 | dev_warn(&pnp_dev->dev, "Unexpected response (msg id %ld) is " |
| 272 | "returned.\n", msg->msgid); | 274 | "returned.\n", msg->msgid); |
| 273 | goto out_msg; | 275 | goto out_lock; |
| 274 | } | 276 | } |
| 275 | 277 | ||
| 276 | /* copy the response data to Rx_data buffer */ | 278 | /* copy the response data to Rx_data buffer */ |
| @@ -284,6 +286,8 @@ static void ipmi_msg_handler(struct ipmi_recv_msg *msg, void *user_msg_data) | |||
| 284 | tx_msg->msg_done = 1; | 286 | tx_msg->msg_done = 1; |
| 285 | } | 287 | } |
| 286 | complete(&tx_msg->tx_complete); | 288 | complete(&tx_msg->tx_complete); |
| 289 | out_lock: | ||
| 290 | spin_unlock_irqrestore(&ipmi_device->tx_msg_lock, flags); | ||
| 287 | out_msg: | 291 | out_msg: |
| 288 | ipmi_free_recv_msg(msg); | 292 | ipmi_free_recv_msg(msg); |
| 289 | }; | 293 | }; |