ipmi: fix memleak when unload ipmi driver
authorZhang Yuchen <zhangyuchen.lcr@bytedance.com>
Fri, 7 Oct 2022 09:26:17 +0000 (17:26 +0800)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Sat, 7 Jan 2023 11:07:31 +0000 (12:07 +0100)
[ Upstream commit 36992eb6b9b83f7f9cdc8e74fb5799d7b52e83e9 ]

After the IPMI disconnect problem, the memory kept rising and we tried
to unload the driver to free the memory. However, only part of the
free memory is recovered after the driver is uninstalled. Using
ebpf to hook free functions, we find that neither ipmi_user nor
ipmi_smi_msg is free, only ipmi_recv_msg is free.

We find that the deliver_smi_err_response call in clean_smi_msgs does
the destroy processing on each message from the xmit_msg queue without
checking the return value and free ipmi_smi_msg.

deliver_smi_err_response is called only at this location. Adding the
free handling has no effect.

To verify, try using ebpf to trace the free function.

  $ bpftrace -e 'kretprobe:ipmi_alloc_recv_msg {printf("alloc rcv
      %p\n",retval);} kprobe:free_recv_msg {printf("free recv %p\n",
      arg0)} kretprobe:ipmi_alloc_smi_msg {printf("alloc smi %p\n",
        retval);} kprobe:free_smi_msg {printf("free smi  %p\n",arg0)}'

Signed-off-by: Zhang Yuchen <zhangyuchen.lcr@bytedance.com>
Message-Id: <20221007092617.87597-4-zhangyuchen.lcr@bytedance.com>
[Fixed the comment above handle_one_recv_msg().]
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
drivers/char/ipmi/ipmi_msghandler.c

index 74044b52d2c6d799040b2085452c9dc4d20b66bc..97d3c9d4ebc7d904bbc7b77b6fb3cefeb47d47a2 100644 (file)
@@ -2930,12 +2930,16 @@ static void deliver_smi_err_response(ipmi_smi_t intf,
                                     struct ipmi_smi_msg *msg,
                                     unsigned char err)
 {
+       int rv;
        msg->rsp[0] = msg->data[0] | 4;
        msg->rsp[1] = msg->data[1];
        msg->rsp[2] = err;
        msg->rsp_size = 3;
-       /* It's an error, so it will never requeue, no need to check return. */
-       handle_one_recv_msg(intf, msg);
+
+       /* This will never requeue, but it may ask us to free the message. */
+       rv = handle_one_recv_msg(intf, msg);
+       if (rv == 0)
+               ipmi_free_smi_msg(msg);
 }
 
 static void cleanup_smi_msgs(ipmi_smi_t intf)