Re: [PATCH v2 1/5] ipmi: ssif_bmc: cancel response timer on remove

Next message: Corey Minyard: "Re: [PATCH v2 5/5] ipmi: ssif_bmc: add unit test for state machine"
Previous message: Jiayuan Chen: "[PATCH net v1] net: mptcp: fix slab-use-after-free in __inet_lookup_established"
In reply to: Corey Minyard: "Re: [PATCH v2 5/5] ipmi: ssif_bmc: add unit test for state machine"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Corey Minyard

Date: Fri Apr 03 2026 - 09:12:31 EST

On Fri, Apr 03, 2026 at 05:05:58PM +0800, Jian Zhang wrote:
> The response timer can stay armed across device teardown. If it fires after
> remove, the callback dereferences the SSIF context and the i2c client after
> teardown has started.
>
> Cancel the timer in remove so the callback cannot run after the device is
> unregistered.

Thanks for the updates on this. I have the new version in my tree. I
have one question on the kunit patch, I'll ask it there.

-corey

>
> Signed-off-by: Jian Zhang <zhangjian.3032@xxxxxxxxxxxxx>
> ---
> v2: use timer_delete_sync() to cancel the timer
>
> drivers/char/ipmi/ssif_bmc.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/char/ipmi/ssif_bmc.c b/drivers/char/ipmi/ssif_bmc.c
> index 7a52e3ea49ed..dc1d5bb4a460 100644
> --- a/drivers/char/ipmi/ssif_bmc.c
> +++ b/drivers/char/ipmi/ssif_bmc.c
> @@ -843,6 +843,7 @@ static void ssif_bmc_remove(struct i2c_client *client)
> {
> struct ssif_bmc_ctx *ssif_bmc = i2c_get_clientdata(client);
>
> + timer_delete_sync(&ssif_bmc->response_timer);
> i2c_slave_unregister(client);
> misc_deregister(&ssif_bmc->miscdev);
> }
> --
> 2.20.1