[Skiboot] [RESEND PATCH] fix lock error when BT IRQ preempt BT timer

Vasant Hegde hegdevasant at linux.vnet.ibm.com
Wed Jan 13 21:02:51 AEDT 2021


From: lixg <lixgemail at gmail.com>

BT IRQ may preempt BT timer if BMC response host when bt msg timeout.
When BT IRQ preempt BT timer, the infight_bt_msg did not protected by bt.lock very well.

And we will see the following log:
[29006114.163785853,3] BT: seq 0x81 netfn 0x0a cmd 0x23: Timeout sending message
[29006114.288029290,3] BT: seq 0x81 netfn 0x0b cmd 0x23: Timeout sending message
[29006114.288917798,3] IPMI: Incorrect netfn 0x0b in response

It may cause 'CPU Hardlock UP', 'memory refree', 'kernel crash' or something else...

Signed-off-by: lixg <867314078 at qq.com>
---
Lixg,
  Your patch was filtered out and didn't hit mailing list. Hence
  resending your patch.
  I have fixed mailing list issue. Now all your patches/responses will
  come to maiilng list.

-Vasant

 hw/bt.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/hw/bt.c b/hw/bt.c
index cf967f899..5016feab6 100644
--- a/hw/bt.c
+++ b/hw/bt.c
@@ -211,6 +211,11 @@ static void bt_msg_del(struct bt_msg *bt_msg)
 {
 	list_del(&bt_msg->link);
 	bt.queue_len--;
+
+	/* once inflight_bt_msg out of list, it should be emptyed */
+	if (bt_msg == inflight_bt_msg)
+		inflight_bt_msg = NULL;
+
 	unlock(&bt.lock);
 	ipmi_cmd_done(bt_msg->ipmi_msg.cmd,
 		      IPMI_NETFN_RETURN_CODE(bt_msg->ipmi_msg.netfn),
@@ -393,9 +398,6 @@ static void bt_expire_old_msg(uint64_t tb)
 			BT_Q_ERR(bt_msg, "Timeout sending message");
 			bt_msg_del(bt_msg);
 
-			/* Ready to send next message */
-			inflight_bt_msg = NULL;
-
 			/*
 			 * Timing out a message is inherently racy as the BMC
 			 * may start writing just as we decide to kill the
-- 
2.26.2



More information about the Skiboot mailing list