On 10/7/25 04:45, Corey Minyard wrote:
On Mon, Oct 06, 2025 at 01:18:57PM -0700, Guenter Roeck wrote:
Prior to commit b52da4054ee0 ("ipmi: Rework user message limit handling"),
i_ipmi_request() used to increase the user reference counter if the receive
message is provided by the caller of IPMI API functions. This is no longer
the case. However, ipmi_free_recv_msg() is still called and decreases the
reference counter. This results in the reference counter reaching zero,
the user data pointer is released, and all kinds of interesting crashes are
seen.
Fix the problem by increasing user reference counter if the receive message
has been provided by the caller.
Yes, the only interface that uses this that would matter is the watchdog
timer, which my tests don't currently cover. I guess I need to add some
tests.
Yes, that is the one that is crashing. Sorry, I should have mentioned that.
Sorry, and thanks for the fix. It's queued for next release.
Thanks!
Guenter
_______________________________________________
Openipmi-developer mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openipmi-developer
