ipmi:msghandler: Fix potential memory corruption in ipmi_create_user()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The "intf" list iterator is an invalid pointer if the correct
"intf->intf_num" is not found. Calling atomic_dec(&intf->nr_users) on
and invalid pointer will lead to memory corruption.

We don't really need to call atomic_dec() if we haven't called
atomic_add_return() so update the if (intf->in_shutdown) path as well.

Fixes: 8e76741c3d8b ("ipmi: Add a limit on the number of users that may use IPMI")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Message-ID: <aBjMZ8RYrOt6NOgi@stanley.mountain>
Signed-off-by: Corey Minyard <corey@minyard.net>

authored by

Dan Carpenter and committed by

Corey Minyard 11 months ago fa332f5d 971a0045

+3 -2

1 changed file

expand all

drivers

char

ipmi

ipmi_msghandler.c

+3 -2

drivers/char/ipmi/ipmi_msghandler.c

··· 1240 1240 } 1241 1241 /* Not found, return an error */ 1242 1242 rv = -EINVAL; 1243 - goto out_kfree; 1243 + goto out_unlock; 1244 1244 1245 1245 found: 1246 1246 if (intf->in_shutdown) { 1247 1247 rv = -ENODEV; 1248 - goto out_kfree; 1248 + goto out_unlock; 1249 1249 } 1250 1250 1251 1251 if (atomic_add_return(1, &intf->nr_users) > max_users) { ··· 1293 1293 } else { 1294 1294 *user = new_user; 1295 1295 } 1296 + out_unlock: 1296 1297 mutex_unlock(&ipmi_interfaces_mutex); 1297 1298 return rv; 1298 1299 }