iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
da2cf18ff8
linux/drivers/char/ipmi/ipmi_dmi.c
John Garry 5516e21a1e ipmi: use dynamic memory for DMI driver override 
Currently a crash can be seen if we reach the "err"
label in dmi_add_platform_ipmi(), calling
platform_device_put(), like here:
[    7.270584]  (null): ipmi:dmi: Unable to add resources: -16
[    7.330229] ------------[ cut here ]------------
[    7.334889] kernel BUG at mm/slub.c:3894!
[    7.338936] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
[    7.344475] Modules linked in:
[    7.347556] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 4.15.0-rc2-00004-gbe9cb7b-dirty #114
[    7.355907] Hardware name: Huawei Taishan 2280 /D05, BIOS Hisilicon D05 IT17 Nemo 2.0 RC0 11/29/2017
[    7.365137] task: 00000000c211f6d3 task.stack: 00000000f276e9af
[    7.371116] pstate: 60000005 (nZCv daif -PAN -UAO)
[    7.375957] pc : kfree+0x194/0x1b4
[    7.379389] lr : platform_device_release+0xcc/0xd8
[    7.384225] sp : ffff0000092dba90
[    7.387567] x29: ffff0000092dba90 x28: ffff000008a83000
[    7.392933] x27: ffff0000092dbc10 x26: 00000000000000e6
[    7.398297] x25: 0000000000000003 x24: ffff0000085b51e8
[    7.403662] x23: 0000000000000100 x22: ffff7e0000234cc0
[    7.409027] x21: ffff000008af3660 x20: ffff8017d21acc10
[    7.414392] x19: ffff8017d21acc00 x18: 0000000000000002
[    7.419757] x17: 0000000000000001 x16: 0000000000000008
[    7.425121] x15: 0000000000000001 x14: 6666666678303d65
[    7.430486] x13: 6469727265766f5f x12: 7265766972642e76
[    7.435850] x11: 6564703e2d617020 x10: 6530326435373638
[    7.441215] x9 : 3030303030303030 x8 : 3d76656420657361
[    7.446580] x7 : ffff000008f59df8 x6 : ffff8017fbe0ea50
[    7.451945] x5 : 0000000000000000 x4 : 0000000000000000
[    7.457309] x3 : ffffffffffffffff x2 : 0000000000000000
[    7.462674] x1 : 0fffc00000000800 x0 : ffff7e0000234ce0
[    7.468039] Process swapper/0 (pid: 1, stack limit = 0x00000000f276e9af)
[    7.474809] Call trace:
[    7.477272]  kfree+0x194/0x1b4
[    7.480351]  platform_device_release+0xcc/0xd8
[    7.484837]  device_release+0x34/0x90
[    7.488531]  kobject_put+0x70/0xcc
[    7.491961]  put_device+0x14/0x1c
[    7.495304]  platform_device_put+0x14/0x1c
[    7.499439]  dmi_add_platform_ipmi+0x348/0x3ac
[    7.503923]  scan_for_dmi_ipmi+0xfc/0x10c
[    7.507970]  do_one_initcall+0x38/0x124
[    7.511840]  kernel_init_freeable+0x188/0x228
[    7.516238]  kernel_init+0x10/0x100
[    7.519756]  ret_from_fork+0x10/0x18
[    7.523362] Code: f94002c0 37780080 f94012c0 37000040 (d4210000)
[    7.529552] ---[ end trace 11750e4787deef9e ]---
[    7.534228] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b
[    7.534228]

This is because when the device is released in
platform_device_release(), we try to free
pdev.driver_override. This is a const string, hence
the crash.
Fix by using dynamic memory for pdev->driver_override.

Signed-off-by: John Garry <john.garry@huawei.com>
[Removed the free of driver_override from ipmi_si_remove_by_dev().  The
 free is done in platform_device_release(), and would result in a double
 free, and ipmi_si_remove_by_dev() is called by non-platform devices.]
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Cc: <stable@vger.kernel.org> # 4.14+
2018-01-22 08:07:54 -06:00

306 lines
6.9 KiB
C
Raw Blame History

// SPDX-License-Identifier: GPL-2.0
/*
* A hack to create a platform device from a DMI entry. This will
* allow autoloading of the IPMI drive based on SMBIOS entries.
*/
#include <linux/ipmi.h>
#include <linux/init.h>
#include <linux/dmi.h>
#include <linux/platform_device.h>
#include <linux/property.h>
#include "ipmi_si_sm.h"
#include "ipmi_dmi.h"
#define IPMI_DMI_TYPE_KCS 0x01
#define IPMI_DMI_TYPE_SMIC 0x02
#define IPMI_DMI_TYPE_BT 0x03
#define IPMI_DMI_TYPE_SSIF 0x04
struct ipmi_dmi_info {
enum si_type si_type;
u32 flags;
unsigned long addr;
u8 slave_addr;
struct ipmi_dmi_info *next;
};
static struct ipmi_dmi_info *ipmi_dmi_infos;
static int ipmi_dmi_nr __initdata;
#define set_prop_entry(_p_, _name_, type, val) \
do { \
struct property_entry *_p = &_p_; \
_p->name = _name_; \
_p->length = sizeof(type); \
_p->is_string = false; \
_p->value.type##_data = val; \
} while(0)
static void __init dmi_add_platform_ipmi(unsigned long base_addr,
u32 flags,
u8 slave_addr,
int irq,
int offset,
int type)
{
struct platform_device *pdev;
struct resource r[4];
unsigned int num_r = 1, size;
struct property_entry p[5];
unsigned int pidx = 0;
char *name, *override;
int rv;
enum si_type si_type;
struct ipmi_dmi_info *info;
memset(p, 0, sizeof(p));
name = "dmi-ipmi-si";
override = "ipmi_si";
switch (type) {
case IPMI_DMI_TYPE_SSIF:
name = "dmi-ipmi-ssif";
override = "ipmi_ssif";
offset = 1;
size = 1;
si_type = SI_TYPE_INVALID;
break;
case IPMI_DMI_TYPE_BT:
size = 3;
si_type = SI_BT;
break;
case IPMI_DMI_TYPE_KCS:
size = 2;
si_type = SI_KCS;
break;
case IPMI_DMI_TYPE_SMIC:
size = 2;
si_type = SI_SMIC;
break;
default:
pr_err("ipmi:dmi: Invalid IPMI type: %d\n", type);
return;
}
if (si_type != SI_TYPE_INVALID)
set_prop_entry(p[pidx++], "ipmi-type", u8, si_type);
set_prop_entry(p[pidx++], "slave-addr", u8, slave_addr);
set_prop_entry(p[pidx++], "addr-source", u8, SI_SMBIOS);
info = kmalloc(sizeof(*info), GFP_KERNEL);
if (!info) {
pr_warn("ipmi:dmi: Could not allocate dmi info\n");
} else {
info->si_type = si_type;
info->flags = flags;
info->addr = base_addr;
info->slave_addr = slave_addr;
info->next = ipmi_dmi_infos;
ipmi_dmi_infos = info;
}
pdev = platform_device_alloc(name, ipmi_dmi_nr);
if (!pdev) {
pr_err("ipmi:dmi: Error allocation IPMI platform device\n");
return;
}
pdev->driver_override = kasprintf(GFP_KERNEL, "%s",
override);
if (!pdev->driver_override)
goto err;
if (type == IPMI_DMI_TYPE_SSIF) {
set_prop_entry(p[pidx++], "i2c-addr", u16, base_addr);
goto add_properties;
}
memset(r, 0, sizeof(r));
r[0].start = base_addr;
r[0].end = r[0].start + offset - 1;
r[0].name = "IPMI Address 1";
r[0].flags = flags;
if (size > 1) {
r[1].start = r[0].start + offset;
r[1].end = r[1].start + offset - 1;
r[1].name = "IPMI Address 2";
r[1].flags = flags;
num_r++;
}
if (size > 2) {
r[2].start = r[1].start + offset;
r[2].end = r[2].start + offset - 1;
r[2].name = "IPMI Address 3";
r[2].flags = flags;
num_r++;
}
if (irq) {
r[num_r].start = irq;
r[num_r].end = irq;
r[num_r].name = "IPMI IRQ";
r[num_r].flags = IORESOURCE_IRQ;
num_r++;
}
rv = platform_device_add_resources(pdev, r, num_r);
if (rv) {
dev_err(&pdev->dev,
"ipmi:dmi: Unable to add resources: %d\n", rv);
goto err;
}
add_properties:
rv = platform_device_add_properties(pdev, p);
if (rv) {
dev_err(&pdev->dev,
"ipmi:dmi: Unable to add properties: %d\n", rv);
goto err;
}
rv = platform_device_add(pdev);
if (rv) {
dev_err(&pdev->dev, "ipmi:dmi: Unable to add device: %d\n", rv);
goto err;
}
ipmi_dmi_nr++;
return;
err:
platform_device_put(pdev);
}
/*
* Look up the slave address for a given interface. This is here
* because ACPI doesn't have a slave address while SMBIOS does, but we
* prefer using ACPI so the ACPI code can use the IPMI namespace.
* This function allows an ACPI-specified IPMI device to look up the
* slave address from the DMI table.
*/
int ipmi_dmi_get_slave_addr(enum si_type si_type, u32 flags,
unsigned long base_addr)
{
struct ipmi_dmi_info *info = ipmi_dmi_infos;
while (info) {
if (info->si_type == si_type &&
info->flags == flags &&
info->addr == base_addr)
return info->slave_addr;
info = info->next;
}
return 0;
}
EXPORT_SYMBOL(ipmi_dmi_get_slave_addr);
#define DMI_IPMI_MIN_LENGTH 0x10
#define DMI_IPMI_VER2_LENGTH 0x12
#define DMI_IPMI_TYPE 4
#define DMI_IPMI_SLAVEADDR 6
#define DMI_IPMI_ADDR 8
#define DMI_IPMI_ACCESS 0x10
#define DMI_IPMI_IRQ 0x11
#define DMI_IPMI_IO_MASK 0xfffe
static void __init dmi_decode_ipmi(const struct dmi_header *dm)
{
const u8 *data = (const u8 *) dm;
u32 flags = IORESOURCE_IO;
unsigned long base_addr;
u8 len = dm->length;
u8 slave_addr;
int irq = 0, offset;
int type;
if (len < DMI_IPMI_MIN_LENGTH)
return;
type = data[DMI_IPMI_TYPE];
slave_addr = data[DMI_IPMI_SLAVEADDR];
memcpy(&base_addr, data + DMI_IPMI_ADDR, sizeof(unsigned long));
if (len >= DMI_IPMI_VER2_LENGTH) {
if (type == IPMI_DMI_TYPE_SSIF) {
offset = 0;
flags = 0;
base_addr = data[DMI_IPMI_ADDR] >> 1;
if (base_addr == 0) {
/*
* Some broken systems put the I2C address in
* the slave address field. We try to
* accommodate them here.
*/
base_addr = data[DMI_IPMI_SLAVEADDR] >> 1;
slave_addr = 0;
}
} else {
if (base_addr & 1) {
/* I/O */
base_addr &= DMI_IPMI_IO_MASK;
} else {
/* Memory */
flags = IORESOURCE_MEM;
}
/*
* If bit 4 of byte 0x10 is set, then the lsb
* for the address is odd.
*/
base_addr |= (data[DMI_IPMI_ACCESS] >> 4) & 1;
irq = data[DMI_IPMI_IRQ];
/*
* The top two bits of byte 0x10 hold the
* register spacing.
*/
switch ((data[DMI_IPMI_ACCESS] >> 6) & 3) {
case 0: /* Byte boundaries */
offset = 1;
break;
case 1: /* 32-bit boundaries */
offset = 4;
break;
case 2: /* 16-byte boundaries */
offset = 16;
break;
default:
pr_err("ipmi:dmi: Invalid offset: 0\n");
return;
}
}
} else {
/* Old DMI spec. */
/*
* Note that technically, the lower bit of the base
* address should be 1 if the address is I/O and 0 if
* the address is in memory. So many systems get that
* wrong (and all that I have seen are I/O) so we just
* ignore that bit and assume I/O. Systems that use
* memory should use the newer spec, anyway.
*/
base_addr = base_addr & DMI_IPMI_IO_MASK;
offset = 1;
}
dmi_add_platform_ipmi(base_addr, flags, slave_addr, irq,
offset, type);
}
static int __init scan_for_dmi_ipmi(void)
{
const struct dmi_device *dev = NULL;
while ((dev = dmi_find_device(DMI_DEV_TYPE_IPMI, NULL, dev)))
dmi_decode_ipmi((const struct dmi_header *) dev->device_data);
return 0;
}
subsys_initcall(scan_for_dmi_ipmi);
Reference in New Issue View Git Blame Copy Permalink