[ Sasha's backport helper bot ]
Hi,
✅ All tests passed successfully. No issues detected. No action required from the submitter.
The upstream commit SHA1 provided is correct: fa332f5dc6fc662ad7d3200048772c96b861cf6b
WARNING: Author mismatch between patch and upstream commit: Backport author: Brendan Jackmanjackmanb@google.com Commit author: Dan Carpenterdan.carpenter@linaro.org
Note: The patch differs from the upstream commit: --- 1: fa332f5dc6fc6 ! 1: 5984afb270d63 ipmi:msghandler: Fix potential memory corruption in ipmi_create_user() @@ Metadata ## Commit message ## ipmi:msghandler: Fix potential memory corruption in ipmi_create_user()
+ commit fa332f5dc6fc662ad7d3200048772c96b861cf6b upstream + The "intf" list iterator is an invalid pointer if the correct "intf->intf_num" is not found. Calling atomic_dec(&intf->nr_users) on and invalid pointer will lead to memory corruption. @@ Commit message Signed-off-by: Dan Carpenter dan.carpenter@linaro.org Message-ID: aBjMZ8RYrOt6NOgi@stanley.mountain Signed-off-by: Corey Minyard corey@minyard.net + Signed-off-by: Brendan Jackman jackmanb@google.com
## drivers/char/ipmi/ipmi_msghandler.c ## @@ drivers/char/ipmi/ipmi_msghandler.c: int ipmi_create_user(unsigned int if_num, @@ drivers/char/ipmi/ipmi_msghandler.c: int ipmi_create_user(unsigned int + goto out_unlock;
found: - if (intf->in_shutdown) { - rv = -ENODEV; -- goto out_kfree; -+ goto out_unlock; - } - if (atomic_add_return(1, &intf->nr_users) > max_users) { @@ drivers/char/ipmi/ipmi_msghandler.c: int ipmi_create_user(unsigned int if_num, - } else { - *user = new_user; - } + + out_kfree: + atomic_dec(&intf->nr_users); +out_unlock: - mutex_unlock(&ipmi_interfaces_mutex); + srcu_read_unlock(&ipmi_interfaces_srcu, index); + vfree(new_user); return rv; - } ---
Results of testing on various branches:
| Branch | Patch Apply | Build Test | |---------------------------|-------------|------------| | stable/linux-6.15.y | Success | Success | | stable/linux-6.12.y | Success | Success | | stable/linux-6.6.y | Success | Success | | stable/linux-6.1.y | Success | Success | | stable/linux-5.15.y | Success | Success | | stable/linux-5.10.y | Success | Success | | stable/linux-5.4.y | Success | Success |