Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-4.9 / 5ac557ef4951ea4b131ae45b08434546cb386ac5^! / . / drivers / acpi / acpi_ipmi.c
commit5ac557ef4951ea4b131ae45b08434546cb386ac5[log] [tgz]
authorLv Zheng <lv.zheng@intel.com>Fri Sep 13 13:13:39 2013 +0800
committerRafael J. Wysocki <rafael.j.wysocki@intel.com>Mon Sep 30 19:46:11 2013 +0200
treed8da98834adf86a8debf62e26405694dd69fc2e1
parent6b68f03f95e3f0aeea0c47799aecb296276a7cd6 [diff] [blame]
ACPI / IPMI: Fix race caused by the unprotected ACPI IPMI transfers

This patch fixes races caused by unprotected ACPI IPMI transfers.

We can see that the following crashes may occur:
 1. There is no tx_msg_lock held for iterating tx_msg_list in
    ipmi_flush_tx_msg() while it may be unlinked on failure in
    parallel in acpi_ipmi_space_handler() under tx_msg_lock.
 2. There is no lock held for freeing tx_msg in acpi_ipmi_space_handler()
    while it may be accessed in parallel in ipmi_flush_tx_msg() and
    ipmi_msg_handler().

This patch enhances tx_msg_lock to protect all tx_msg accesses to solve
this issue.  Then tx_msg_lock is always held around complete() and tx_msg
accesses.

Signed-off-by: Lv Zheng <lv.zheng@intel.com>
Reviewed-by: Huang Ying <ying.huang@intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>

diff --git a/drivers/acpi/acpi_ipmi.c b/drivers/acpi/acpi_ipmi.c
index 7397135..87307ba 100644
--- a/drivers/acpi/acpi_ipmi.c
+++ b/drivers/acpi/acpi_ipmi.c

@@ -228,11 +228,14 @@
 	struct acpi_ipmi_msg *tx_msg, *temp;
 	int count = HZ / 10;
 	struct pnp_dev *pnp_dev = ipmi->pnp_dev;
+	unsigned long flags;
 
+	spin_lock_irqsave(&ipmi->tx_msg_lock, flags);
 	list_for_each_entry_safe(tx_msg, temp, &ipmi->tx_msg_list, head) {
 		/* wake up the sleep thread on the Tx msg */
 		complete(&tx_msg->tx_complete);
 	}
+	spin_unlock_irqrestore(&ipmi->tx_msg_lock, flags);
 
 	/* wait for about 100ms to flush the tx message list */
 	while (count--) {
@@ -266,11 +269,10 @@
 		}
 	}
 
-	spin_unlock_irqrestore(&ipmi_device->tx_msg_lock, flags);
 	if (!msg_found) {
 		dev_warn(&pnp_dev->dev, "Unexpected response (msg id %ld) is "
 			"returned.\n", msg->msgid);
-		goto out_msg;
+		goto out_lock;
 	}
 
 	/* copy the response data to Rx_data buffer */
@@ -284,6 +286,8 @@
 		tx_msg->msg_done = 1;
 	}
 	complete(&tx_msg->tx_complete);
+out_lock:
+	spin_unlock_irqrestore(&ipmi_device->tx_msg_lock, flags);
 out_msg:
 	ipmi_free_recv_msg(msg);
 };