Re: [Openipmi-developer] [PATCH] ipmi: fix refcount leak in i_ipmi_request()

Wed, 03 Jun 2026 05:24:23 -0700 

On Wed, Jun 03, 2026 at 12:06:34PM +0000, Wentao Liang wrote:
> When a caller provides a `supplied_recv` message to i_ipmi_request(),
> the function increments the user's `nr_msgs` reference count. If an
> error occurs later, the out_err cleanup path only frees the recv_msg
> if the function allocated it itself (i.e., !supplied_recv). In the
> supplied_recv case the cleanup is skipped, leaving the reference count
> elevated. The caller ipmi_request_supply_msgs() does not release the
> supplied_recv on error, so the reference is permanently leaked.
> 
> Fix this by explicitly reverting the reference count operations when a
> supplied recv_msg with a valid user pointer is present in the error
> path: decrement nr_msgs and drop the user's kref.

This looks correct, it's in my next queue.

Thanks,

-corey

> 
> Cc: [email protected]
> Fixes: b52da4054ee0 ("ipmi: Rework user message limit handling")
> Signed-off-by: Wentao Liang <[email protected]>
> ---
>  drivers/char/ipmi/ipmi_msghandler.c | 8 ++++++++
>  1 file changed, 8 insertions(+)
> 
> diff --git a/drivers/char/ipmi/ipmi_msghandler.c 
> b/drivers/char/ipmi/ipmi_msghandler.c
> index 869ac87a4b6a..5b9d914cc7a9 100644
> --- a/drivers/char/ipmi/ipmi_msghandler.c
> +++ b/drivers/char/ipmi/ipmi_msghandler.c
> @@ -2347,6 +2347,10 @@ static int i_ipmi_request(struct ipmi_user     *user,
>               if (smi_msg == NULL) {
>                       if (!supplied_recv)
>                               ipmi_free_recv_msg(recv_msg);
> +                     else if (recv_msg->user) {
> +                             atomic_dec(&recv_msg->user->nr_msgs);
> +                             kref_put(&recv_msg->user->refcount, 
> free_ipmi_user);
> +                     }
>                       return -ENOMEM;
>               }
>       }
> @@ -2420,6 +2424,10 @@ static int i_ipmi_request(struct ipmi_user     *user,
>                       ipmi_free_smi_msg(smi_msg);
>               if (!supplied_recv)
>                       ipmi_free_recv_msg(recv_msg);
> +             else if (recv_msg->user) {
> +                     atomic_dec(&recv_msg->user->nr_msgs);
> +                     kref_put(&recv_msg->user->refcount, free_ipmi_user);
> +             }
>       }
>       return rv;
>  }
> -- 
> 2.34.1
> 


_______________________________________________
Openipmi-developer mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openipmi-developer

Reply via email to