Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753654AbdCWHfD (ORCPT ); Thu, 23 Mar 2017 03:35:03 -0400 Received: from wolverine02.qualcomm.com ([199.106.114.251]:46070 "EHLO wolverine02.qualcomm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751538AbdCWHfB (ORCPT ); Thu, 23 Mar 2017 03:35:01 -0400 X-IronPort-AV: E=Sophos;i="5.36,208,1486454400"; d="scan'208";a="367579597" X-IronPort-AV: E=McAfee;i="5800,7501,8475"; a="1383907421" X-MGA-submission: =?us-ascii?q?MDFYLUPPp8wm3Ro1cOw9rfVtVkhq74cHrPiSRV?= =?us-ascii?q?9j+QNP7X0TEwvIW0TjLf0wLQp35AZiW1X8bF/QavdXYXRnyEvsWEs4NE?= =?us-ascii?q?Sf0wsR0znMBOtf2F00OVOxsoOZG6lgXQRelDCrOvUxpSxqvUnVEeSXd3?= =?us-ascii?q?B9?= From: Joeseph Chang To: minyard@acm.org, openipmi-developer@lists.sourceforge.net, linux-kernel@vger.kernel.org, joechang@qti.qualcomm.com Cc: anjiandi@qti.qualcomm.com, Joeseph Chang Subject: [PATCH] ipmi: Fix kernel panic at ipmi_ssif_thread() Date: Thu, 23 Mar 2017 01:07:12 -0600 Message-Id: <1490252832-20381-1-git-send-email-joechang@qti.qualcomm.com> X-Mailer: git-send-email 1.9.1 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1938 Lines: 58 From: Joeseph Chang msg_written_handler() may set ssif_info->multi_data to NULL when using ipmitool to write fru. Change the ssif i2c send data sequence in msg_written_handler() to fix NULL pointer kernel panic and incorrect ssif_info->multi_pos. Signed-off-by: Joeseph Chang --- drivers/char/ipmi/ipmi_ssif.c | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/drivers/char/ipmi/ipmi_ssif.c b/drivers/char/ipmi/ipmi_ssif.c index cca6e5b..39346ee 100644 --- a/drivers/char/ipmi/ipmi_ssif.c +++ b/drivers/char/ipmi/ipmi_ssif.c @@ -899,21 +899,13 @@ static void msg_written_handler(struct ssif_info *ssif_info, int result, left = 32; /* Length byte. */ ssif_info->multi_data[ssif_info->multi_pos] = left; - ssif_info->multi_pos += left; - if (left < 32) - /* - * Write is finished. Note that we must end - * with a write of less than 32 bytes to - * complete the transaction, even if it is - * zero bytes. - */ - ssif_info->multi_data = NULL; rv = ssif_i2c_send(ssif_info, msg_written_handler, I2C_SMBUS_WRITE, SSIF_IPMI_MULTI_PART_REQUEST_MIDDLE, ssif_info->multi_data + ssif_info->multi_pos, I2C_SMBUS_BLOCK_DATA); + if (rv < 0) { /* request failed, just return the error. */ ssif_inc_stat(ssif_info, send_errors); @@ -922,6 +914,16 @@ static void msg_written_handler(struct ssif_info *ssif_info, int result, pr_info("Error from i2c_non_blocking_op(3)\n"); msg_done_handler(ssif_info, -EIO, NULL, 0); } + + ssif_info->multi_pos += left; + if (left < 32) + /* + * Write is finished. Note that we must end + * with a write of less than 32 bytes to + * complete the transaction, even if it is + * zero bytes. + */ + ssif_info->multi_data = NULL; } else { /* Ready to request the result. */ unsigned long oflags, *flags; -- 1.9.1