Re: [PATCH stable] ipmi:msghandler: Fix potential memory corruption in ipmi_create_user()

1 Jul 2025


      [ Sasha's backport helper bot ]
Hi,
✅ All tests passed successfully. No issues detected.
No action required from the submitter.
The upstream commit SHA1 provided is correct: fa332f5dc6fc662ad7d3200048772c96b861cf6b
WARNING: Author mismatch between patch and upstream commit:
Backport author: Brendan Jackmanjackmanb@google.com
Commit author: Dan Carpenterdan.carpenter@linaro.org
Note: The patch differs from the upstream commit:
---
1:  fa332f5dc6fc6 ! 1:  5984afb270d63 ipmi:msghandler: Fix potential memory corruption in ipmi_create_user()
    @@ Metadata
      ## Commit message ##
         ipmi:msghandler: Fix potential memory corruption in ipmi_create_user()
+    commit fa332f5dc6fc662ad7d3200048772c96b861cf6b upstream
    +
         The "intf" list iterator is an invalid pointer if the correct
         "intf->intf_num" is not found.  Calling atomic_dec(&intf->nr_users) on
         and invalid pointer will lead to memory corruption.
    @@ Commit message
         Signed-off-by: Dan Carpenter dan.carpenter@linaro.org
         Message-ID: aBjMZ8RYrOt6NOgi@stanley.mountain
         Signed-off-by: Corey Minyard corey@minyard.net
    +    Signed-off-by: Brendan Jackman jackmanb@google.com
## drivers/char/ipmi/ipmi_msghandler.c ##
     @@ drivers/char/ipmi/ipmi_msghandler.c: int ipmi_create_user(unsigned int          if_num,
    @@ drivers/char/ipmi/ipmi_msghandler.c: int ipmi_create_user(unsigned int
     +	goto out_unlock;
found:
    - 	if (intf->in_shutdown) {
    - 		rv = -ENODEV;
    --		goto out_kfree;
    -+		goto out_unlock;
    - 	}
    - 
      	if (atomic_add_return(1, &intf->nr_users) > max_users) {
     @@ drivers/char/ipmi/ipmi_msghandler.c: int ipmi_create_user(unsigned int          if_num,
    - 	} else {
    - 		*user = new_user;
    - 	}
    + 
    + out_kfree:
    + 	atomic_dec(&intf->nr_users);
     +out_unlock:
    - 	mutex_unlock(&ipmi_interfaces_mutex);
    + 	srcu_read_unlock(&ipmi_interfaces_srcu, index);
    + 	vfree(new_user);
      	return rv;
    - }
---
Results of testing on various branches:
| Branch                    | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-6.15.y       |  Success    |  Success   |
| stable/linux-6.12.y       |  Success    |  Success   |
| stable/linux-6.6.y        |  Success    |  Success   |
| stable/linux-6.1.y        |  Success    |  Success   |
| stable/linux-5.15.y       |  Success    |  Success   |
| stable/linux-5.10.y       |  Success    |  Success   |
| stable/linux-5.4.y        |  Success    |  Success   |

2025

2024

2023

2022

2021

2020

2019

2018

2017

Re: [PATCH stable] ipmi:msghandler: Fix potential memory corruption in ipmi_create_user()