On Thu, May 21, 2026 at 02:06:27PM +0100, Matt Fleming wrote:
> From: Matt Fleming <[email protected]>
>
> ipmi_alloc_recv_msg(user) takes the temporary user reference owned by the
> receive message, and ipmi_free_recv_msg() drops it again. If event delivery
> fails after allocating receive messages for earlier users,
> handle_read_event_rsp() rolls those messages back with
> ipmi_free_recv_msg().
>
> That rollback path still drops user->refcount explicitly after freeing each
> message. The extra put can free a user that remains linked on intf->users,
> so later event delivery may dereference a freed user or trip refcount_t's
> addition-on-zero warning when ipmi_alloc_recv_msg() tries to acquire
> another reference.
>
> Remove the stale explicit put and the now-dead user assignment. Keep the
> list_del() and ipmi_free_recv_msg() calls; they are the required rollback
> operations.
Yes, this is correct. Queued in the ipmi next tree for next release.
Thanks,
-corey
>
> Fixes: b52da4054ee0 ("ipmi: Rework user message limit handling")
> Cc: [email protected]
> Signed-off-by: Matt Fleming <[email protected]>
> ---
> drivers/char/ipmi/ipmi_msghandler.c | 2 --
> 1 file changed, 2 deletions(-)
>
> diff --git a/drivers/char/ipmi/ipmi_msghandler.c
> b/drivers/char/ipmi/ipmi_msghandler.c
> index 869ac87a4b6a..52561a880e54 100644
> --- a/drivers/char/ipmi/ipmi_msghandler.c
> +++ b/drivers/char/ipmi/ipmi_msghandler.c
> @@ -4477,10 +4477,8 @@ static int handle_read_event_rsp(struct ipmi_smi *intf,
> mutex_unlock(&intf->users_mutex);
> list_for_each_entry_safe(recv_msg, recv_msg2, &msgs,
> link) {
> - user = recv_msg->user;
> list_del(&recv_msg->link);
> ipmi_free_recv_msg(recv_msg);
> - kref_put(&user->refcount, free_ipmi_user);
> }
> /*
> * We couldn't allocate memory for the
> --
> 2.43.0
>
_______________________________________________
Openipmi-developer mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openipmi-developer
