git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Guenter Roeck <linux@roeck-us.net>
	Thu, 16 Oct 2025 18:50:58 +0000 (13:50 -0500)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Sun, 19 Oct 2025 14:23:21 +0000 (16:23 +0200)
commit	75b52144bcda352aa6574bcf0888c9068060c10f
tree	c2c645b6198b84443abff67c0514e166359abb93	tree
parent	f63723ca7d7623f9dae1990973cd158671f03c56	commit \| diff

ipmi: Fix handling of messages with provided receive message pointer

commit e2c69490dda5d4c9f1bfbb2898989c8f3530e354 upstream

Prior to commit b52da4054ee0 ("ipmi: Rework user message limit handling"),
i_ipmi_request() used to increase the user reference counter if the receive
message is provided by the caller of IPMI API functions. This is no longer
the case. However, ipmi_free_recv_msg() is still called and decreases the
reference counter. This results in the reference counter reaching zero,
the user data pointer is released, and all kinds of interesting crashes are
seen.

Fix the problem by increasing user reference counter if the receive message
has been provided by the caller.

Fixes: b52da4054ee0 ("ipmi: Rework user message limit handling")
Reported-by: Eric Dumazet <edumazet@google.com>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Greg Thelen <gthelen@google.com>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Message-ID: <20251006201857.3433837-1-linux@roeck-us.net>
Signed-off-by: Corey Minyard <corey@minyard.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>