Project

General

Profile

Bug #11839

ipmi_close can panic trying to free invalid dev_t

Added by Albert Lee about 1 year ago.

Status:
New
Priority:
Low
Assignee:
Category:
driver - device drivers
Start date:
Due date:
% Done:

0%

Estimated time:
Difficulty:
Bite-size
Tags:
Gerrit CR:

Description

We've experienced panics in ipmi_close calling id_free which bottoms out in a vmem_hash_delete with a NULL address. This is due to an invalid id_t present at the time the pseudo device is allocated in ipmi_open. It comes from id_alloc_nosleep which is allowed to return -1 if no memory is available without sleeping. id_ts are translated from vmem arena addresses by decrementing by 1, so this is a NULL address internally. ipmi_open incorrectly handles the id_alloc_nosleep error case as 0 instead of -1. It should just use id_alloc() as it also performs other sleeping allocations already.

No data to display

Also available in: Atom PDF