Dan Carpenter e2d5c005df ipmi:msghandler: Fix potential memory corruption in ipmi_create_user() ... commit fa332f5dc6 upstream. The "intf" list iterator is an invalid pointer if the correct "intf->intf_num" is not found. Calling atomic_dec(&intf->nr_users) on and invalid pointer will lead to memory corruption. We don't really need to call atomic_dec() if we haven't called atomic_add_return() so update the if (intf->in_shutdown) path as well. Fixes: 8e76741c3d ("ipmi: Add a limit on the number of users that may use IPMI") Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> Message-ID: <aBjMZ8RYrOt6NOgi@stanley.mountain> Signed-off-by: Corey Minyard <corey@minyard.net> [ - Dropped change to the `if (intf->in_shutdown)` block since that logic doesn't exist yet. - Modified out_unlock to release the srcu lock instead of the mutex since we don't have the mutex here yet. ] Signed-off-by: Brendan Jackman <jackmanb@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>		2025-07-17 18:35:12 +02:00
..
bt-bmc.c
ipmb_dev_int.c
ipmi_bt_sm.c
ipmi_devintf.c
ipmi_dmi.c
ipmi_dmi.h
ipmi_ipmb.c
ipmi_kcs_sm.c
ipmi_msghandler.c	ipmi:msghandler: Fix potential memory corruption in ipmi_create_user()	2025-07-17 18:35:12 +02:00
ipmi_plat_data.c
ipmi_plat_data.h
ipmi_powernv.c
ipmi_poweroff.c
ipmi_si_hardcode.c
ipmi_si_hotmod.c
ipmi_si_intf.c
ipmi_si_mem_io.c
ipmi_si_parisc.c
ipmi_si_pci.c
ipmi_si_platform.c
ipmi_si_port_io.c
ipmi_si_sm.h
ipmi_si.h
ipmi_smic_sm.c
ipmi_ssif.c
ipmi_watchdog.c
Kconfig
kcs_bmc_aspeed.c
kcs_bmc_cdev_ipmi.c
kcs_bmc_client.h
kcs_bmc_device.h
kcs_bmc_npcm7xx.c
kcs_bmc_serio.c
kcs_bmc.c
kcs_bmc.h
Makefile
ssif_bmc.c	ipmi: ssif_bmc: Fix new request loss when bmc ready for a response	2025-02-08 09:51:55 +01:00