From 4791c03d2c3b9b6822784f6d7c8e5bbadb1f35ae Mon Sep 17 00:00:00 2001 From: Corey Minyard Date: Mon, 10 Apr 2006 22:54:31 -0700 Subject: [PATCH] ipmi: fix event queue limit The event handler mechanism in the IPMI driver had a limit on the number of received events, but the counts were not being updated. Update the counts to impose a limit. This is not a critical fix, as this function (the sending of the events) has to be turned on by the user, anyway. This avoids problems if they forget to turn it back off. Signed-off-by: Corey Minyard Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- drivers/char/ipmi/ipmi_msghandler.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'drivers/char/ipmi') diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c index 0ded046d5aa..9f2f8fdec69 100644 --- a/drivers/char/ipmi/ipmi_msghandler.c +++ b/drivers/char/ipmi/ipmi_msghandler.c @@ -941,6 +941,7 @@ int ipmi_set_gets_events(ipmi_user_t user, int val) list_del(&msg->link); list_add_tail(&msg->link, &msgs); } + intf->waiting_events_count = 0; } /* Hold the events lock while doing this to preserve order. */ @@ -2916,6 +2917,7 @@ static int handle_read_event_rsp(ipmi_smi_t intf, copy_event_into_recv_msg(recv_msg, msg); list_add_tail(&(recv_msg->link), &(intf->waiting_events)); + intf->waiting_events_count++; } else { /* There's too many things in the queue, discard this message. */ -- cgit v1.2.3 From 7420884c038f326bdac3a8ded856033523e7684e Mon Sep 17 00:00:00 2001 From: Randy Dunlap Date: Tue, 18 Apr 2006 22:21:52 -0700 Subject: [PATCH] IPMI: fix devinit placement gcc complains about __devinit in the wrong location: drivers/char/ipmi/ipmi_si_intf.c:2205: warning: '__section__' attribute does not apply to types Signed-off-by: Randy Dunlap Acked-by: Corey Minyard Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- drivers/char/ipmi/ipmi_si_intf.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'drivers/char/ipmi') diff --git a/drivers/char/ipmi/ipmi_si_intf.c b/drivers/char/ipmi/ipmi_si_intf.c index a86c0f29953..b36eef0e9d1 100644 --- a/drivers/char/ipmi/ipmi_si_intf.c +++ b/drivers/char/ipmi/ipmi_si_intf.c @@ -2198,11 +2198,11 @@ static inline void wait_for_timer_and_thread(struct smi_info *smi_info) } } -static struct ipmi_default_vals +static __devinitdata struct ipmi_default_vals { int type; int port; -} __devinit ipmi_defaults[] = +} ipmi_defaults[] = { { .type = SI_KCS, .port = 0xca2 }, { .type = SI_SMIC, .port = 0xca9 }, -- cgit v1.2.3 From 3fb0cb5d0f8b915a75677e8e8e4a4a4e481f03f7 Mon Sep 17 00:00:00 2001 From: Heikki Orsila Date: Tue, 18 Apr 2006 22:21:55 -0700 Subject: [PATCH] Open IPMI BT overflow I was looking into random driver code and found a suspicious looking memcpy() in drivers/char/ipmi/ipmi_bt_sm.c on 2.6.17-rc1: if ((size < 2) || (size > IPMI_MAX_MSG_LENGTH)) return -1; ... memcpy(bt->write_data + 3, data + 1, size - 1); where sizeof bt->write_data is IPMI_MAX_MSG_LENGTH. It looks like the memcpy would overflow by 2 bytes if size == IPMI_MAX_MSG_LENGTH. A patch attached to limit size to (IPMI_MAX_LENGTH - 2). Cc: Corey Minyard Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- drivers/char/ipmi/ipmi_bt_sm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'drivers/char/ipmi') diff --git a/drivers/char/ipmi/ipmi_bt_sm.c b/drivers/char/ipmi/ipmi_bt_sm.c index 58dcdee1cd7..0030cd8e2e9 100644 --- a/drivers/char/ipmi/ipmi_bt_sm.c +++ b/drivers/char/ipmi/ipmi_bt_sm.c @@ -165,7 +165,7 @@ static int bt_start_transaction(struct si_sm_data *bt, { unsigned int i; - if ((size < 2) || (size > IPMI_MAX_MSG_LENGTH)) + if ((size < 2) || (size > (IPMI_MAX_MSG_LENGTH - 2))) return -1; if ((bt->state != BT_STATE_IDLE) && (bt->state != BT_STATE_HOSED)) -- cgit v1.2.3