summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLv Zheng <lv.zheng@intel.com>2013-09-13 13:13:39 +0800
committerRafael J. Wysocki <rafael.j.wysocki@intel.com>2013-09-30 19:46:11 +0200
commit5ac557ef4951ea4b131ae45b08434546cb386ac5 (patch)
treed8da98834adf86a8debf62e26405694dd69fc2e1
parent6b68f03f95e3f0aeea0c47799aecb296276a7cd6 (diff)
ACPI / IPMI: Fix race caused by the unprotected ACPI IPMI transfers
This patch fixes races caused by unprotected ACPI IPMI transfers. We can see that the following crashes may occur: 1. There is no tx_msg_lock held for iterating tx_msg_list in ipmi_flush_tx_msg() while it may be unlinked on failure in parallel in acpi_ipmi_space_handler() under tx_msg_lock. 2. There is no lock held for freeing tx_msg in acpi_ipmi_space_handler() while it may be accessed in parallel in ipmi_flush_tx_msg() and ipmi_msg_handler(). This patch enhances tx_msg_lock to protect all tx_msg accesses to solve this issue. Then tx_msg_lock is always held around complete() and tx_msg accesses. Signed-off-by: Lv Zheng <lv.zheng@intel.com> Reviewed-by: Huang Ying <ying.huang@intel.com> Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Diffstat
-rw-r--r--drivers/acpi/acpi_ipmi.c8
1 files changed, 6 insertions, 2 deletions
diff --git a/drivers/acpi/acpi_ipmi.c b/drivers/acpi/acpi_ipmi.c
index 7397135702db..87307baeafab 100644
--- a/drivers/acpi/acpi_ipmi.c
+++ b/drivers/acpi/acpi_ipmi.c
@@ -228,11 +228,14 @@ static void ipmi_flush_tx_msg(struct acpi_ipmi_device *ipmi)
struct acpi_ipmi_msg *tx_msg, *temp;
int count = HZ / 10;
struct pnp_dev *pnp_dev = ipmi->pnp_dev;
+ unsigned long flags;
+ spin_lock_irqsave(&ipmi->tx_msg_lock, flags);
list_for_each_entry_safe(tx_msg, temp, &ipmi->tx_msg_list, head) {
/* wake up the sleep thread on the Tx msg */
complete(&tx_msg->tx_complete);
}
+ spin_unlock_irqrestore(&ipmi->tx_msg_lock, flags);
/* wait for about 100ms to flush the tx message list */
while (count--) {
@@ -266,11 +269,10 @@ static void ipmi_msg_handler(struct ipmi_recv_msg *msg, void *user_msg_data)
}
}
- spin_unlock_irqrestore(&ipmi_device->tx_msg_lock, flags);
if (!msg_found) {
dev_warn(&pnp_dev->dev, "Unexpected response (msg id %ld) is "
"returned.\n", msg->msgid);
- goto out_msg;
+ goto out_lock;
}
/* copy the response data to Rx_data buffer */
@@ -284,6 +286,8 @@ static void ipmi_msg_handler(struct ipmi_recv_msg *msg, void *user_msg_data)
tx_msg->msg_done = 1;
}
complete(&tx_msg->tx_complete);
+out_lock:
+ spin_unlock_irqrestore(&ipmi_device->tx_msg_lock, flags);
out_msg:
ipmi_free_recv_msg(msg);
};
generated by cgit v1.2.3 (git 2.0.4) at 2025-10-31 09:05:27 +0000